topic Re: Interface mgmt services (ping,ssh,https,etc..) have no response in WAN2 if the default route is WAN1 in General Topics

Interface mgmt services (ping,ssh,https,etc..) have no response in WAN2 if the default route is WAN1

paloalto.netfos — Mon, 13 Jan 2014 12:02:00 GMT

:Hi, all,

Suppose I have a following simple network architecture :

- WAN1 : 1.1.1.1/24 (GW: 1.1.1.254)

- WAN2 : 2.2.2.2/24 (GW: 2.2.2.254)

- Default Route : 1.1.1.254

In WAN1, all the interface mgmt services are workable, I can connect it from a internet address, I also can ping any internet address by orginating source address from 1.1.1.1.

But all above situations are unworkable in WAN2, even I configure a PBF rule as :

- source zone : WAN2

- source address : 2.2.2.2

- destination address and service : any

- action : forwarding to 2.2.2.254

Why? and how can I resolve it? is there any workaround?

Thanks a lot,

Sample

Re: Interface mgmt services (ping,ssh,https,etc..) have no response in WAN2 if the default route is WAN1

Retired Member — Mon, 13 Jan 2014 13:22:07 GMT

if you cerate another VR for WAN2 it will work (management services)give default gw 2.2.2.2254 for that VR

I tried that before just fixed it with another VR.

Re: Interface mgmt services (ping,ssh,https,etc..) have no response in WAN2 if the default route is WAN1

craymond — Mon, 13 Jan 2014 22:17:29 GMT

You can follow this DOC for configuration:

PAN-OS 3.1 ISP Redundancy Using Policy Based Forwarding

Re: Interface mgmt services (ping,ssh,https,etc..) have no response in WAN2 if the default route is WAN1

paloalto.netfos — Tue, 14 Jan 2014 03:04:53 GMT

panos, thanks a lot, it's helpful idea.

Re: Interface mgmt services (ping,ssh,https,etc..) have no response in WAN2 if the default route is WAN1

paloalto.netfos — Tue, 14 Jan 2014 03:34:18 GMT

craymond, thanks a lot, ^_^

but my question isn't it, but it's a helpful document

Re: Interface mgmt services (ping,ssh,https,etc..) have no response in WAN2 if the default route is WAN1

pulukas — Tue, 14 Jan 2014 12:51:36 GMT

The reason this is happening is a routing issue. When coming in from the internet the reply packets will use the default route out of the firewall. In your case this is set to the primary interface. Even if you were to get two default routes active you would not necessarily be able to control which wan interface got the reply packets.

The separation into virtual routers overcomes this problem by giving each wan interface their own routing table and default route. So the reply will return out to the internet on the ingress interface.

For this solution you do need to make sure routing is setup between your two vr as you want to use the services. For this you may want to use policy based routing.

Re: Interface mgmt services (ping,ssh,https,etc..) have no response in WAN2 if the default route is WAN1

lucaspassos — Mon, 10 Mar 2014 17:05:31 GMT

I have the same problem. I think that this is a big problem and need to be resolved. Because, create two VR was make my administration and the troubleshooting more complex.