topic Re: GP stops working when ecmp is enabled in General Topics

GP stops working when ecmp is enabled

Dijesh — Fri, 10 Nov 2023 17:03:03 GMT

We have Palo Alto firewall with three Internet links. One is a leased line and other two are ADSL links. I have configured ECMP on the two ADSL lines to load balance traffic on the two ADSL links. Global Protect is configured on the leased line. I have configured default route to all the three internet links in the firewall. I have configured the default route for leased line with AD and metric to be lower than that of the ADSL links, then the global protect works fine, however the ADSL links do not appear in the FIB and thereby traffic does not go through the ADSL links. If the default route for the ADSL links are configured with AD and metric lower than that of leased line, the ADSL links appear in the FIB and loadbalancing of traffic over ADSL links work fine, however the global protect does not work as the default route for leased line is not added to FIB.

Any suggestions so that the load balancing is done on the ADSL links and global protect works fine?

Re: GP stops working when ecmp is enabled

Raido_Rattameister — Fri, 10 Nov 2023 18:17:22 GMT

What is your ideal goal? Which links you want to use for Internet and which not?

Re: GP stops working when ecmp is enabled

Dijesh — Fri, 10 Nov 2023 18:48:31 GMT

Hi Raido,

leased line for global protect

Two adsl links for user internet

Thanks

Re: GP stops working when ecmp is enabled

Raido_Rattameister — Fri, 10 Nov 2023 19:20:33 GMT

Virtual router can only route based on destination IP.

Set up ADSL links with same AD and metric.

ECMP will load balance outgoing traffic over those links.

For GlobalProtect set up PBF

Policies > Policy Based Forwarding

Source zone - GlobalProtect

Destination IP - "Not RFC1918 IP"

Next hop - Leased line ISP IP

PBF policies are checked before virtual router.

If any of PBF policies match then traffic will be routed accordingly and virtual router won't be checked.

Re: GP stops working when ecmp is enabled

Dijesh — Fri, 10 Nov 2023 19:57:26 GMT

Hi Raido,

I have tried this pbr rule but it didn’t work:

source - leased line interface

destination - any

next hop - gateway of leased line isp

Isn’t it the same?

Thanks,

Re: GP stops working when ecmp is enabled

Raido_Rattameister — Fri, 10 Nov 2023 21:40:36 GMT

No it is not the same because GlobalProtect traffic is not coming from leased line interface but it is arriving into Palo from GlobalProtect zone.

Tunnel interface that is configured in GlobalProtect gateway config has dedicated zone assigned or are you using genera INSIDE zone for that?

Re: GP stops working when ecmp is enabled

Dijesh — Sat, 11 Nov 2023 03:27:46 GMT

Hi Raido,

In my case, the global protect agent is not getting connected

Thanks,

Re: GP stops working when ecmp is enabled

Raido_Rattameister — Sat, 11 Nov 2023 03:48:19 GMT

Probably because replies to incoming GlobalProtect connection attempts get response back from ADSL interface due routing preference.

No good solution.

I guess best is to set up dedicated virtual router for leased line.

Re: GP stops working when ecmp is enabled

TomYoung — Mon, 13 Nov 2023 00:30:12 GMT

Hi @Dijesh ,

Enable Symmetric Return for ECMP and GP should work fine. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/network/network-virtual-routers/ecmp/ecmp-settings

Your scenario is the reason the Symmetric Return option is there. We want the GP return packets to always go out the same interface they came in and not be load balanced.

Thanks,

Tom

Re: GP stops working when ecmp is enabled

Raido_Rattameister — Mon, 13 Nov 2023 03:35:14 GMT

Symmetric return overrides ECMP load balancing algorithm but it does not override fact that 0.0.0.0/0 route towards leased line does not exist in the forwarding table.

Default route towards leased line can't have same ad/metric because then outgoing traffic would also start using it.

Symmetric return would help only if all 3 ISP links (leased line and 2x ADSL) would have same AD and metric.

As goal is to load balance outgoing traffic out over both ADSL links (and not leased line) only feasible option is to place leased line interface into it's own virtual router.

Theoretically you could try to change load balance algorithm to "Weighted Round Robin", add all 3 ISP interfaces into the list, set both ADSL link weights to 255 and leased line weight to 1.
In this case only tiny amount of sessions would take outgoing path over leased line but it would not be completely zero. Benefit would be that all ISP links stay in same virtual router.

Re: GP stops working when ecmp is enabled

Dijesh — Mon, 13 Nov 2023 03:44:49 GMT

Hi Raido,

Thanks for your suggestions. Assigning the leased line to a separate virtual router fixed the issue.

Thanks,

Re: GP stops working when ecmp is enabled

TomYoung — Mon, 13 Nov 2023 10:18:20 GMT

Hi @Raido_Rattameister ,

Thanks for clarifying the design. I missed that part.

Hi @Dijesh ,

We are glad it is working! Please mark @Raido_Rattameister reply as the solution.

Tom