FW routing packets to internet vs internal

drewdown — Wed, 24 Mar 2021 17:51:45 GMT

I have a weird issue with a LAB interface/zone that when packets to a cloud IP that is reachable via the core it routes it to the internet vs the core. All other traffic is routed correctly but not this and I can't seem to figure out why. 10.100.2.1 is my core, 10.100.99.1 is the lab interface on the PAN which is part of VR1 (only virtual router configured). You can see in the trace it goes from the lab interface to the WAN/outside rather than the core even with a route configured. If I ping 172.24.4.76 from the FW using 10.100.99.1 as the source IP it works.

What could be causing this?

src: 10.49.1.62

dst: 172.24.4.76

VIRTUAL ROUTER: VR1 (id 1) ========== destination nexthop metric flags age interface next-AS 172.24.4.0/24 10.100.2.1 10 A S ae2

traceroute 172.24.4.76 traceroute to 172.24.4.76 (172.24.4.76), 30 hops max, 40 byte packets 1 10.49.1.1 (10.49.1.1) 0.950 ms 0.536 ms 0.565 ms 2 10.255.49.1 (10.255.49.1) 0.407 ms 0.783 ms 2.171 ms 3 10.100.99.1 (10.100.99.1) 0.542 ms 3.915 ms 2.626 ms 4 12.13.99.161 (12.13.99.161) 1.371 ms 3.335 ms 0.648 ms

Re: FW routing packets to internet vs internal

drewdown — Wed, 24 Mar 2021 18:34:52 GMT

I figured this out.

Co-worker had enabled PBR for ISP failover but did not include the cloud ip ranges in the destination IP ranges on that PBR rule so it was routing all of that out to the internet vs the core.

topic Re: FW routing packets to internet vs internal in General Topics

FW routing packets to internet vs internal

Re: FW routing packets to internet vs internal