https://live.paloaltonetworks.com/t5/general-topics/nat-question/m-p/389659#M90639 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/156321">@stef</a> ,</P><P>&nbsp;</P><P>As it is showing the incomplete and you are facing problems to reach only the&nbsp; internet, you need to first verify the NAT configuration and check if Source NAT before going to ISP gateway is happening properly. Although the IPSEC is working fine through the circuit, re-verify the reverse path/routing config if it is clear. You need to have routes on the firewall to reach the backend hosts subnet who are sending the internet requests.</P> Mon, 08 Mar 2021 06:30:48 GMT SutareMayur 2021-03-08T06:30:48Z https://live.paloaltonetworks.com/t5/general-topics/nat-question/m-p/389568#M90631 <P>Hello all,</P><P>we have configuration with dual ISP.</P><P>From the 1st provider we get public IP directly on the PA</P><P>2nd provider is with nat, i mean on PA we have private IP.</P><P>&nbsp;</P><P>When the route goes through the 1st one everything works fine.&nbsp;</P><P>When we switch to the 2nd one there is a problems . In the monitoring tab i can see all requests&nbsp; to Internet zone&nbsp; ends with "Incomplete, aged out".</P><P>Meanwhile we have IPSec's configured and they worked just fine from the both providers.&nbsp;</P><P>&nbsp;</P><P>Can someone suggest what can be the problem?</P><P>Thank you in advance!</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 07 Mar 2021 08:27:27 GMT https://live.paloaltonetworks.com/t5/general-topics/nat-question/m-p/389568#M90631 stef 2021-03-07T08:27:27Z https://live.paloaltonetworks.com/t5/general-topics/nat-question/m-p/389659#M90639 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/156321">@stef</a> ,</P><P>&nbsp;</P><P>As it is showing the incomplete and you are facing problems to reach only the&nbsp; internet, you need to first verify the NAT configuration and check if Source NAT before going to ISP gateway is happening properly. Although the IPSEC is working fine through the circuit, re-verify the reverse path/routing config if it is clear. You need to have routes on the firewall to reach the backend hosts subnet who are sending the internet requests.</P> Mon, 08 Mar 2021 06:30:48 GMT https://live.paloaltonetworks.com/t5/general-topics/nat-question/m-p/389659#M90639 SutareMayur 2021-03-08T06:30:48Z https://live.paloaltonetworks.com/t5/general-topics/nat-question/m-p/389872#M90656 <P>Hello,</P> <P>I agree this sounds like a routing/NAT issue. Are you using PBF for the fail over? Or are both ISP's live at the same time and routing traffic?</P> <P>&nbsp;</P> <P>Please advise,</P> Mon, 08 Mar 2021 22:14:01 GMT https://live.paloaltonetworks.com/t5/general-topics/nat-question/m-p/389872#M90656 OtakarKlier 2021-03-08T22:14:01Z https://live.paloaltonetworks.com/t5/general-topics/nat-question/m-p/389993#M90674 <P>Hello</P><P>I dont use PBF. They are both up.</P><P>I have default routes with different Metrics</P> Tue, 09 Mar 2021 13:54:09 GMT https://live.paloaltonetworks.com/t5/general-topics/nat-question/m-p/389993#M90674 stef 2021-03-09T13:54:09Z https://live.paloaltonetworks.com/t5/general-topics/nat-question/m-p/389999#M90676 <P>Just agreeing with everybody else really, it does sound like a NAT issue, I would make sure all routes and NAT's makes sense and then look further from there.</P> Tue, 09 Mar 2021 14:01:54 GMT https://live.paloaltonetworks.com/t5/general-topics/nat-question/m-p/389999#M90676 laurence64 2021-03-09T14:01:54Z https://live.paloaltonetworks.com/t5/general-topics/nat-question/m-p/391136#M90754 <P>Indeed it was routing issue.</P><P>I push the config from Panorama.</P><P>Nat policy changed to ISP2, but the default route remain the same because the Virtual router config was <SPAN>overwritten and the changes from panorama didnt applied . </SPAN></P><P>Thank you all for your responses!</P> Sun, 14 Mar 2021 14:37:08 GMT https://live.paloaltonetworks.com/t5/general-topics/nat-question/m-p/391136#M90754 stef 2021-03-14T14:37:08Z