topic Re: Policy Based Forwarding (PBF) problem in General Topics

Policy Based Forwarding (PBF) problem

LCMember2683 — Mon, 14 Nov 2011 13:25:41 GMT

I’ve got problem with policy based forwarding. I have 2 ISP - traffic to the 1st ISP is forwarded by pbf, to the 2nd – via default route. PBF rule monitors the remote target’s IP and availability of nexthop address. My question is: how the pbf is checking availability of the nexthop address. I have sniffer open on nexthop address host but I can’t find any specific traffic.

In the system log I’ve got many entries like this: “Vsys 1 PBF rule pbf nexthop is DOWN”. How can I debug this ?

While the pbf status is DOWN I can ping nexthop address from adjacent interface of Palo Alto.

Re: Policy Based Forwarding (PBF) problem

dburns — Wed, 16 Nov 2011 17:52:52 GMT

Should ping from the ISP A interface to the remote network. Are you monitoring the next hop? Also verify that you do not see any drops in the traffic logs for the IP you are monitoring. (denyall may drop this traffic).

Dominic

Re: Policy Based Forwarding (PBF) problem

disti_sarajevo — Thu, 05 Apr 2012 11:01:18 GMT

I have the same problem.

The PBF rule status says that the NextHop is Down but I'm sure it's up and I can ping it via source ping from the device.

Did someone manage to solve this issue?

Re: Policy Based Forwarding (PBF) problem

disti_sarajevo — Fri, 06 Apr 2012 11:21:30 GMT

It look's like this issue is software related.

After updating to software version 4.1.4. everything worked fine.

Re: Policy Based Forwarding (PBF) problem

amansour — Wed, 16 Jan 2013 01:32:30 GMT

I have the same problem. I have a deny all at the bottom of the security rule but Untrust to Untrust. The PBF next hop says it's down and the rule disables the route but the next hop is up. I am on 5.0.1 and this still occurs frequently, every few hours. DOES ANYONE KNOW HOW PBF CHECKS THE NEXT HOP AND WHY IT SAYS DOWN WHEN IT"S UP??

Re: Policy Based Forwarding (PBF) problem

amansour — Wed, 16 Jan 2013 16:10:49 GMT

Can anyone from PAN comment this has been recurring for a few days. I have opened tickets but we and haven't got to a root cause. How does the Egress monitor the next hop as up? Would a static ARP help? There is no pings in packet capture, how does it know this is up or down? It's up but shows down. Does it not come back up after it goes down?

Re: Policy Based Forwarding (PBF) problem

amansour — Thu, 17 Jan 2013 15:27:45 GMT

Hi All; Finally figured out what it is. So the PBF rule does monitor from the Egress interface configured in the Rule. It will come back up if the next hop is up. The monitor uses PING. My problem was that I was trying to fully mesh active-passive firewalls and connected hubs to both uplinks to from the firewalls to a single uplink for the ISP that was having the problem. When I directly connect the ISP directly to the PAN device the pings stay normal. Time to replace some hubs.

Re: Policy Based Forwarding (PBF) problem

amansour — Thu, 17 Jan 2013 23:29:59 GMT

You also want to put on "Enforce Symmetric Return" IF you are running dual IPSec tunnels over the PBF the return traffic has to go out the interface it came in on, or the tunnel will stay up but renegotiate constantly.