IPSEC VPN ECMP - Issue

Reply

IPSEC VPN ECMP - Issue

Dear Collegues,

 

Let imagine the following situation:

 

PA Firewall connected to two ISP, e1/1 - 1.1.1.1 and e1/4 - 2.2.2.2.

Default virtual router with ECMP configured with weights e1/1-50 and e1/4-50.

 

IPSEC tunnel configured to the remote site, IKE Gateway configured on interface e1/4.

 

Tunnel is green, everything seems to be fine... but:

I see around 50% packets lost.

During troubleshooting I see that half of the ESP packets goes via e1/1 and other half via e1/4.

Pacekts which goes via e1/1 has IP address of e1/4 (2.2.2.2) and are lost.

 

I assume that I could use a PBF to resolve this issue, am I right?

 

Best,

Przemek

Tags (4)
L7 Applicator

Re: IPSEC VPN ECMP - Issue

Yup,

PBF is going to be the best way to actually resolve this. I imagine that the remote site has a static IP?

Re: IPSEC VPN ECMP - Issue

Unfortunaltely not, and it seems that I have the same issue with GlobalProtect.

 

I have one tunnel with static IP, and I did a workeranoud - putted static route to this particular IP.

In case of other tunnels, I putted also static routes as a temporary solution.

But of course it's not what I want to have.

 

Any ideas how to exactply configure PBR?

 

I tried with:

Zone Internet, Source IP 2.2.2.2 forwarded to e1/4 - but it doesn't work....

 

Cheers,

Przemek

Tags (4)
Highlighted

Re: IPSEC VPN ECMP - Issue

Drawing1.png

 

I enclosed a drawing to make it more clear.

On IKE GW local interface is configured to e1/4 - so all IKE1 traffic goes well (green line).

Unfortunately ESP packets are load balanced and goes via e1/1 and e1/4 (orange lines).

 

What I have to do is to force PA to send ESP packets via e1/4 interface.

ESP packets always have correct IP source address (2.2.2.2) only issue is that half of it goes via e1/1 interface.

 

Thank you in advance for your help.

 

Cheers,

Przemek

Tags (4)

Re: IPSEC VPN ECMP - Issue

Hi,

 

Traffic generated on the firewall, like in this case doesn't work with the PBR.

I fiexed the problem by configuring two Virtual Routers - each one for a provider.

Then instead of ECMP I configured a load sharing with redundancy (for internet traffic, not for the vpn tunnels).

 

Best,

Przemek.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!