topic Re: Symmetric return with ECMP not working in General Topics

Symmetric return with ECMP not working

VarunRao — Wed, 24 Feb 2021 02:26:51 GMT

Hi All,

We have dual ISP setup, and to load-balance the traffic we are using ECMP with static routes, and it works fine for the internet bound connections and traffic gets load-balanced.

We however face issues with connection to our VPN servers in the DMZ. They are used by remote users to create a RA-VPN tunnel with the VPN servers from internet. The users have to try atleast 4-5 times before they get a successful connection with the VPN servers. We suspect it is because the VPN server have a public IP published on internet, which is a ISP2 public range. The return packet is getting load balanced too , towards ISP1 and cause assymmetric routing and ISP2 doesnt like it.

Is there a way to ensure the return packet goes through ISP2 only? We ahve tried PBF but doesnt seem to work. We ahve also enabled symmetric return option in ECMP, and confused why it doesn't seem to work.

We have a TAC case open, but no engineer has any idea or shown any willingness to go deeper.

Below is the topology.

Re: Symmetric return with ECMP not working

BPry — Wed, 24 Feb 2021 04:45:48 GMT

@VarunRao,

Do you actually have logs showing return traffic is attempting to route via ISP1 instead of ISP2 with symmetric return enabled? If so, then that's all TAC should need to actually start digging into the issue and making sure you have it configured correctly, that it's being identified as server to client return traffic, ect. Usually issues like this is because it's not being identified as server to client traffic properly like it should, or that it's simply been misconfigured.

Also just to throw it out there, have you checked the release notes for 9.1 and verified that you aren't hitting any of the ECMP issues addressed in later releases? I know that there's been a few addressed issues in later builds related to ECMP, and 9.1.3 is pretty early in the 9.1 release.

Re: Symmetric return with ECMP not working

domtack — Thu, 02 Dec 2021 00:23:47 GMT

Hello @VarunRao
For more information. See
1. How to Configure Symmetric Return - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF5CAK
2. How to Implement ECMP - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF8CAK

Re: Symmetric return with ECMP not working

VarunRao — Wed, 24 Feb 2021 22:30:17 GMT

Hi,

The configuration for ECMP was all fine and TAC did take captures, where we did see issues caused by ecmp, it tried to sdn reply packets through the load-balancing. TAC although doesn't know why it is happening. Still under investigation.

We are using version 9.0.11.

Re: Symmetric return with ECMP not working

ciana_lenevy — Thu, 02 Dec 2021 00:22:47 GMT

We are using version 9.0.11.

Re: Symmetric return with ECMP not working

BradBieth — Wed, 26 Apr 2023 23:21:16 GMT

Hi there. Was there ever a resolution to this? We are seeing this behavior with many applications, especially ones that are setting cookies. Some vendors we had to inform of the 2nd ISP subnet range to make sure that traffic is being allowed. Please let me know.