https://live.paloaltonetworks.com/t5/general-topics/monitoring-profile-troubles-dual-isp/m-p/8953#M41280 <HTML><HEAD></HEAD><BODY><P>Any new info on this one?</P></BODY></HTML> Tue, 28 Jul 2015 18:06:50 GMT treese 2015-07-28T18:06:50Z https://live.paloaltonetworks.com/t5/general-topics/monitoring-profile-troubles-dual-isp/m-p/8952#M41279 <HTML><HEAD></HEAD><BODY><P>I got a TAC with PA opened for this one but wanted to ask the community if you've experience this one.&nbsp; The problem is when the PBF kicks in (disabled primary circuit) the primary circuit traffic immediately fails over to the backup ISP.&nbsp; I've adjusted the fail-over monitoring profile interval's and the threshold but neither seem to have an affect.&nbsp; Its basically working like a floating static route which I'm wanting to avoid.&nbsp; The plan is when the primary circuit is unavailable to wait and fail-over at a specified time - 100 sec interval would be fine.&nbsp; This is how I understand it:</P><P>"A monitoring profile allows the user to specify the threshold number of heartbeats to determine whether the IP address is reachable" then take the action specified - wait to recover or fail-over.</P><P></P><P>Anything I'm missing or suggestions?</P><P></P><P>Thank you,</P></BODY></HTML> Fri, 24 Apr 2015 20:05:35 GMT https://live.paloaltonetworks.com/t5/general-topics/monitoring-profile-troubles-dual-isp/m-p/8952#M41279 treese 2015-04-24T20:05:35Z https://live.paloaltonetworks.com/t5/general-topics/monitoring-profile-troubles-dual-isp/m-p/8953#M41280 <HTML><HEAD></HEAD><BODY><P>Any new info on this one?</P></BODY></HTML> Tue, 28 Jul 2015 18:06:50 GMT https://live.paloaltonetworks.com/t5/general-topics/monitoring-profile-troubles-dual-isp/m-p/8953#M41280 treese 2015-07-28T18:06:50Z https://live.paloaltonetworks.com/t5/general-topics/monitoring-profile-troubles-dual-isp/m-p/72959#M41285 <P>How are you doing the failover testing? Are you pulling the link or killing the interface on the connected switch? If that's how you're testing, the failover will be immediate because the link is effectively dead. There's no hold timer because the routes are immediately removed from the route table.</P> <P>&nbsp;</P> <P>If you're monitoriting a remote IP, try denying that IP with an upstream firewall or ACL, or by blocking your primary ISPs public interface address from your monitor server. This should induce the failure in a way that would mimic an outage on the ISP side without actually updating the route table immediately.</P> <P>&nbsp;</P> <P>If you are already doing it the 2nd way above, then I would expect it to work using the hold timer you've configured. Anything other than that would probably be best troubleshot with a support case. You can also take a look at your routing tables with "show routing route" on the firewall's CLI.</P> <P>&nbsp;</P> <P>Cheers,</P> <P>Greg</P> Wed, 17 Feb 2016 05:18:48 GMT https://live.paloaltonetworks.com/t5/general-topics/monitoring-profile-troubles-dual-isp/m-p/72959#M41285 gwesson 2016-02-17T05:18:48Z