topic Re: an issue occure with asymmetric route in General Topics

an issue occure with asymmetric route

black1983 — Mon, 10 Feb 2020 11:58:26 GMT

HI;

I have PaloAlto FW and I have 3 ISPs and I'm using default route ( statically ) with this value ISP1 distance 5 ( Interface X), ISP2 distance 9 and ISP3 distance 15 ( Interface Y) and I've server with NAT IP using ISP3 subnet.

the server is reachable from global internet but the users who are using ISP3 they are unable to reach it after some tshoot we have done using trace route we found the following.

what is the issue ?

NOTE:

we cant apply the following

1- PBF

2- we can't update route table statically for each user

Trace route from NATed server using ISP3 subnet toward user using ISP3 :

Server --> Palo Alto outside interface(X)--> ISP1 -->ISP3--> ISP3 USER

Trace route from user using ISP3 toward NATed server using ISP3 subnet :

USER-->ISP3 --> WAN Router--> Palo Alto outside interface(Y)--> drop

Trace route from NATed server using ISP3 subnet toward global Internet :

Server --> Palo Alto outside interface(X)--> ISP1 --> Global Internet --> 8.8.8.8 (example)

Trace route from global user toward NATed server using ISP3:

Global User --> Global Internet --> ISP3--> reach to NATed server

Re: an issue occure with asymmetric route

SutareMayur — Tue, 11 Feb 2020 02:26:24 GMT

@black1983Hi, can you please check if traffic coming on public IP of ISP3 is coming on correct interface of firewall and doing proper NAT ?

Please check same using test security-policy and test NAT commands through cli.

Hope this helps !

Mayur

Re: an issue occure with asymmetric route

black1983 — Tue, 11 Feb 2020 11:16:21 GMT

yes the incoming traffic comes thru correct interface (Y) whatever the source is local ISP3 or Global internet users but the different is global users thy can browse it and their traffic goes out thru ISP1 interface (X) ( asymmetrically ) !! and ISP3 users can't browse it since the FW is dropping the packet ..

So, why do global users can browse it with asymmetric routes while local ISP3 users can't do it ?

Re: an issue occure with asymmetric route

rmfalconer — Tue, 11 Feb 2020 15:59:54 GMT

Can you explain what you mean by different distance for each route? Do you mean administrative distance?

Re: an issue occure with asymmetric route

SutareMayur — Wed, 12 Feb 2020 03:06:26 GMT

@black1983

Is it possible for your to explain it with the help of diagram ? Wanted to understand topology properly.

-Mayur