- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
02-23-2021 06:26 PM - edited 02-23-2021 06:26 PM
Hi All,
We have dual ISP setup, and to load-balance the traffic we are using ECMP with static routes, and it works fine for the internet bound connections and traffic gets load-balanced.
We however face issues with connection to our VPN servers in the DMZ. They are used by remote users to create a RA-VPN tunnel with the VPN servers from internet. The users have to try atleast 4-5 times before they get a successful connection with the VPN servers. We suspect it is because the VPN server have a public IP published on internet, which is a ISP2 public range. The return packet is getting load balanced too , towards ISP1 and cause assymmetric routing and ISP2 doesnt like it.
Is there a way to ensure the return packet goes through ISP2 only? We ahve tried PBF but doesnt seem to work. We ahve also enabled symmetric return option in ECMP, and confused why it doesn't seem to work.
We have a TAC case open, but no engineer has any idea or shown any willingness to go deeper.
Below is the topology.
02-23-2021 08:45 PM
Do you actually have logs showing return traffic is attempting to route via ISP1 instead of ISP2 with symmetric return enabled? If so, then that's all TAC should need to actually start digging into the issue and making sure you have it configured correctly, that it's being identified as server to client return traffic, ect. Usually issues like this is because it's not being identified as server to client traffic properly like it should, or that it's simply been misconfigured.
Also just to throw it out there, have you checked the release notes for 9.1 and verified that you aren't hitting any of the ECMP issues addressed in later releases? I know that there's been a few addressed issues in later builds related to ECMP, and 9.1.3 is pretty early in the 9.1 release.
02-23-2021 09:54 PM - last edited on 12-01-2021 04:23 PM by jdelio
Hello @VarunRao
For more information. See
1. How to Configure Symmetric Return - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF5CAK
2. How to Implement ECMP - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF8CAK
02-24-2021 02:30 PM
Hi,
The configuration for ECMP was all fine and TAC did take captures, where we did see issues caused by ecmp, it tried to sdn reply packets through the load-balancing. TAC although doesn't know why it is happening. Still under investigation.
We are using version 9.0.11.
11-23-2021 05:40 AM - last edited on 12-01-2021 04:22 PM by jdelio
The configuration for ECMP was all fine and TAC did take captures, where we did see issues caused by ecmp, it tried to sdn reply packets through the load-balancing. TAC although doesn't know why it is happening. Still under investigation
We are using version 9.0.11.
04-26-2023 04:21 PM
Hi there. Was there ever a resolution to this? We are seeing this behavior with many applications, especially ones that are setting cookies. Some vendors we had to inform of the 2nd ISP subnet range to make sure that traffic is being allowed. Please let me know.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!