ECMP + 3 Internet links + Outgoing traffic

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

ECMP + 3 Internet links + Outgoing traffic

L3 Networker

Hello friends!

 

We have now 3 ISPs, we started to use load balancing (all methoeds tested);

ScreenShot293.jpg

 

Problem: Sometimes, packets from PA220, interface 1/4 (ISP 1),  goes out to internet thru interface 1/5 (ISP 2).

User's traffic with no problem.. But PA220 internet traffic (VPN establishment for example) is inconsistent.

ScreenShot294.jpg

 

 

PA220 VPN initial IKE traffic example

VPN Gateway A

PA220 IP a.a.a.a (int 1/4)  >>> peer IP b.b.b.b

 

At monitor > traffic we see

IP a.a.a.a (int 1/4) going thru int 1/5

VPN doesnt establish

 

Scenario as per below:

"VR-LAN" for LAN (lan interface + tunnel intrefaces)

"VR-WAN" for Internet links (all default routes with same cost)

 

 

Is there a way to internet traffic from PA220 be out of that load balacing ?

5 REPLIES 5

L6 Presenter

Your diagram has 2 firewalls but you're referencing specific interfaces in different firewalls.  Can you explain a bit more how it's cabled up?

Hello.... we have 2 in HA... we deal with just 1... the active one...

Just setup a static route to the public IP on the endpoint for the VPN, via 1 of the 3 interfaces.

This way the VPN wil always go out via this specific route instead of randomly (as dictated via ECMP)

For redundancy you could setup multiple tunnels and have routing figure out the best path, but that would only work when the other side has a PaloAlto as well (or a Juniper SRX/SSG).

 

hello thanks for the reply... but the VPN doesnt establish very well..... because of the worng behavior at public interface... 

INT 1/4 public IP is 200.200.200.2... gateway is 200.200.200.1

But that traffic from 1/4 (200.200.200.2) is going thru 1/5.... (NATed to 1/5 IP) and then VPN doesnt establish (the other side expect 200.200.200.2.... )

 

that is the main problem... 

Hi,

 

I think you missed my point.

You have 3 equal cost paths, making the FW semi-randomly choosing the path to the VPN endpoint Public IP.

By entering a single new route, just for the Public IP of the VPN Endpoint, to go out over only 1 of the interfaces, then you would have a consistend outgoing public IP. And when the return traffic comes in, it would follow the same route in reverse

 

Regards

Florian

 

  • 3647 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!