https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-ecmp-issue/m-p/153880#M50743 <P>Unfortunaltely not, and it seems that I have the same issue with GlobalProtect.</P><P>&nbsp;</P><P>I have one tunnel with static IP, and I did a workeranoud - putted static route to this particular IP.</P><P>In case of other tunnels, I putted also static routes as a temporary solution.</P><P>But of course it's not what I want to have.</P><P>&nbsp;</P><P>Any ideas how to exactply configure PBR?</P><P>&nbsp;</P><P>I tried with:</P><P>Zone Internet, Source IP 2.2.2.2 forwarded to e1/4 - but it doesn't work....</P><P>&nbsp;</P><P>Cheers,</P><P>Przemek</P> Mon, 24 Apr 2017 16:31:40 GMT PrzemyslawCiborowski 2017-04-24T16:31:40Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-ecmp-issue/m-p/153853#M50737 <P>Dear Collegues,</P><P>&nbsp;</P><P>Let imagine the following situation:</P><P>&nbsp;</P><P>PA Firewall connected to two ISP, e1/1 - 1.1.1.1 and e1/4 - 2.2.2.2.</P><P>Default virtual router with ECMP configured with weights e1/1-50 and e1/4-50.</P><P>&nbsp;</P><P>IPSEC tunnel configured to the remote site, IKE Gateway configured on interface e1/4.</P><P>&nbsp;</P><P>Tunnel is green, everything seems to be fine... but:</P><P>I see around 50% packets lost.</P><P>During troubleshooting I see that half of the ESP packets goes via e1/1 and other half via e1/4.</P><P>Pacekts which goes via e1/1 has IP address of e1/4 (2.2.2.2) and are lost.</P><P>&nbsp;</P><P>I assume that I could use a PBF to resolve this issue, am I right?</P><P>&nbsp;</P><P>Best,</P><P>Przemek</P> Mon, 24 Apr 2017 15:04:22 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-ecmp-issue/m-p/153853#M50737 PrzemyslawCiborowski 2017-04-24T15:04:22Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-ecmp-issue/m-p/153876#M50740 <P>Yup,</P><P>PBF is going to be the best way to actually resolve this. I imagine that the remote site has a static IP?</P> Mon, 24 Apr 2017 16:05:46 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-ecmp-issue/m-p/153876#M50740 BPry 2017-04-24T16:05:46Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-ecmp-issue/m-p/153880#M50743 <P>Unfortunaltely not, and it seems that I have the same issue with GlobalProtect.</P><P>&nbsp;</P><P>I have one tunnel with static IP, and I did a workeranoud - putted static route to this particular IP.</P><P>In case of other tunnels, I putted also static routes as a temporary solution.</P><P>But of course it's not what I want to have.</P><P>&nbsp;</P><P>Any ideas how to exactply configure PBR?</P><P>&nbsp;</P><P>I tried with:</P><P>Zone Internet, Source IP 2.2.2.2 forwarded to e1/4 - but it doesn't work....</P><P>&nbsp;</P><P>Cheers,</P><P>Przemek</P> Mon, 24 Apr 2017 16:31:40 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-ecmp-issue/m-p/153880#M50743 PrzemyslawCiborowski 2017-04-24T16:31:40Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-ecmp-issue/m-p/154000#M50785 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Drawing1.png" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/8925iD2F1BB73914B2B06/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Drawing1.png" alt="Drawing1.png" /></span></P><P>&nbsp;</P><P>I enclosed a drawing to make it more clear.</P><P>On IKE GW local interface is configured to e1/4 - so all IKE1 traffic goes well (green line).</P><P>Unfortunately ESP packets are load balanced and goes via e1/1 and e1/4 (orange lines).</P><P>&nbsp;</P><P>What I have to do is to force PA to send ESP packets via e1/4 interface.</P><P>ESP packets always have correct IP source address (2.2.2.2) only issue is that half of it goes via e1/1 interface.</P><P>&nbsp;</P><P>Thank you in advance for your help.</P><P>&nbsp;</P><P>Cheers,</P><P>Przemek</P> Tue, 25 Apr 2017 08:56:21 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-ecmp-issue/m-p/154000#M50785 PrzemyslawCiborowski 2017-04-25T08:56:21Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-ecmp-issue/m-p/166526#M53348 <P>Hi,</P><P>&nbsp;</P><P>Traffic generated on the firewall, like in this case doesn't work with the PBR.</P><P>I fiexed the problem by configuring two Virtual Routers - each one for a provider.</P><P>Then instead of ECMP I configured a load sharing with redundancy (for internet traffic, not for the vpn tunnels).</P><P>&nbsp;</P><P>Best,</P><P>Przemek.</P> Fri, 14 Jul 2017 13:10:17 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-vpn-ecmp-issue/m-p/166526#M53348 PrzemyslawCiborowski 2017-07-14T13:10:17Z