routing between 2 virtual router

gilles007 — Sun, 09 Feb 2020 12:24:12 GMT

hello,

i have a setup like the image below.

my goal is to allow internet throught interfaces 3 and 4 (i have a virtual router with these 2 interfaces, vr_l3) : this is working

i have an IPSEC tunnel on interface 1 (with another virtual router, vr1) to route 172.22.0.0/20 : this is working

i have a dhcp server on interface 3

if i put a route directly on the workstation, this is working (route add 172.22.0.0 mask 255.255.240.0 172.22.54.245)

next i would like to have the firewall doing this

1/ first i tried to make a static route in vr_l3 to 172.22.54.245

strangely, i have ping which is working but web-browsing is not

2/ secondly, i tried to route to the next vr, vr1

but i have nothing working

3/ third, i try to put a static route in dhcp server

option 249, 14AC16AC1636F5

but this is working on a PA220 and not on a PA200 7.0.19 : i can't obtain an ip address when option 249 is set

i don't think it's a policy problem because i currently have a any-any rule to allow traffic

Re: routing between 2 virtual router

JoergSchuetter — Sun, 09 Feb 2020 13:15:41 GMT

If ping is working, but everything else doesn't, then it's very likely that you have asynchronous routing. Ping request is sent via the firewall, but the reply is taking a different path (bypassing the firewall).

Re: routing between 2 virtual router

gilles007 — Sun, 09 Feb 2020 14:25:59 GMT

yes, this command :

set deviceconfig setting tcp asymmetric-path bypass

did the trick

but what will be the aftermath ?

topic Re: routing between 2 virtual router in General Topics

routing between 2 virtual router

Re: routing between 2 virtual router

Re: routing between 2 virtual router