https://live.paloaltonetworks.com/t5/general-topics/ecmp-3-internet-links-outgoing-traffic/m-p/241011#M69052 <P>Hello.... we have 2 in HA... we deal with just 1... the active one...</P> Fri, 23 Nov 2018 17:14:20 GMT FabioGarcia 2018-11-23T17:14:20Z https://live.paloaltonetworks.com/t5/general-topics/ecmp-3-internet-links-outgoing-traffic/m-p/240284#M68867 <P>Hello friends!</P><P>&nbsp;</P><P>We have now 3 ISPs, we started to use load balancing (all methoeds tested);</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="ScreenShot293.jpg" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/17575i01B187F14B4DF6A7/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="ScreenShot293.jpg" alt="ScreenShot293.jpg" /></span></P><P>&nbsp;</P><P><STRONG>Problem</STRONG>: Sometimes, packets from PA220, interface 1/4 (ISP 1),&nbsp; goes out to internet thru interface 1/5 (ISP 2).</P><P>User's traffic with no problem.. But PA220 internet traffic (VPN establishment for example) is inconsistent.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="ScreenShot294.jpg" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/17576iB24751FBB2732080/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="ScreenShot294.jpg" alt="ScreenShot294.jpg" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P><STRONG>PA220 VPN initial IKE traffic example</STRONG></P><P><FONT color="#0000FF"><STRONG>VPN Gateway A</STRONG></FONT></P><P><FONT color="#0000FF">PA220 IP a.a.a.a (int 1/4)&nbsp; &gt;&gt;&gt; peer IP b.b.b.b</FONT></P><P>&nbsp;</P><P><STRONG>At monitor &gt; traffic we see</STRONG></P><P><STRONG><FONT color="#339966">IP a.a.a.a (int 1/4) going thru int 1/5</FONT></STRONG></P><P><STRONG><FONT color="#FF0000">VPN doesnt establish</FONT></STRONG></P><P>&nbsp;</P><P><STRONG>Scenario as per below:</STRONG></P><P>"VR-LAN" for LAN (lan interface + tunnel intrefaces)</P><P>"VR-WAN" for Internet links (all default routes with same cost)</P><P>&nbsp;</P><P>&nbsp;</P><P><STRONG><U>Is there a way to internet traffic from PA220 be out of that load balacing ?</U></STRONG></P> Mon, 19 Nov 2018 10:47:33 GMT https://live.paloaltonetworks.com/t5/general-topics/ecmp-3-internet-links-outgoing-traffic/m-p/240284#M68867 FabioGarcia 2018-11-19T10:47:33Z https://live.paloaltonetworks.com/t5/general-topics/ecmp-3-internet-links-outgoing-traffic/m-p/240717#M68947 <P>Your diagram has 2 firewalls but you're referencing specific interfaces in different firewalls.&nbsp; Can you explain a bit more how it's cabled up?</P> Wed, 21 Nov 2018 13:20:48 GMT https://live.paloaltonetworks.com/t5/general-topics/ecmp-3-internet-links-outgoing-traffic/m-p/240717#M68947 Brandon_Wertz 2018-11-21T13:20:48Z https://live.paloaltonetworks.com/t5/general-topics/ecmp-3-internet-links-outgoing-traffic/m-p/241011#M69052 <P>Hello.... we have 2 in HA... we deal with just 1... the active one...</P> Fri, 23 Nov 2018 17:14:20 GMT https://live.paloaltonetworks.com/t5/general-topics/ecmp-3-internet-links-outgoing-traffic/m-p/241011#M69052 FabioGarcia 2018-11-23T17:14:20Z https://live.paloaltonetworks.com/t5/general-topics/ecmp-3-internet-links-outgoing-traffic/m-p/242020#M69277 <P>Just setup a static route to the public IP on the endpoint for the VPN, via 1 of the 3 interfaces.</P><P>This way the VPN wil always go out via this specific route instead of randomly (as dictated via ECMP)</P><P>For redundancy you could setup multiple tunnels and have routing figure out the best path, but that would only work when the other side has a PaloAlto as well (or a Juniper SRX/SSG).</P><P>&nbsp;</P> Tue, 04 Dec 2018 11:20:38 GMT https://live.paloaltonetworks.com/t5/general-topics/ecmp-3-internet-links-outgoing-traffic/m-p/242020#M69277 bigfloor 2018-12-04T11:20:38Z https://live.paloaltonetworks.com/t5/general-topics/ecmp-3-internet-links-outgoing-traffic/m-p/242754#M69423 <P>hello thanks for the reply... but the VPN doesnt establish very well..... because of the worng behavior at public interface...&nbsp;</P><P>INT 1/4 public IP is 200.200.200.2... gateway is&nbsp;200.200.200.1<BR /><BR />But that traffic from 1/4 (200.200.200.2) is going thru 1/5.... (NATed to 1/5 IP) and then VPN doesnt establish (the other side expect 200.200.200.2.... )</P><P>&nbsp;</P><P>that is the main problem...&nbsp;</P> Mon, 10 Dec 2018 19:47:42 GMT https://live.paloaltonetworks.com/t5/general-topics/ecmp-3-internet-links-outgoing-traffic/m-p/242754#M69423 FabioGarcia 2018-12-10T19:47:42Z https://live.paloaltonetworks.com/t5/general-topics/ecmp-3-internet-links-outgoing-traffic/m-p/242901#M69465 <P>Hi,</P><P>&nbsp;</P><P>I think you missed my point.</P><P>You have 3 equal cost paths, making the FW semi-randomly choosing the path to the VPN endpoint Public IP.</P><P>By entering a single new route, just for the Public IP of the VPN Endpoint, to go out over only 1 of the interfaces, then you would have a consistend outgoing public IP. And when the return traffic comes in, it would follow the same route in reverse</P><P>&nbsp;</P><P>Regards</P><P>Florian</P><P>&nbsp;</P> Tue, 11 Dec 2018 21:56:40 GMT https://live.paloaltonetworks.com/t5/general-topics/ecmp-3-internet-links-outgoing-traffic/m-p/242901#M69465 bigfloor 2018-12-11T21:56:40Z