This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

an issue occure with asymmetric route

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

an issue occure with asymmetric route

black1983
L0 Member

‎02-10-2020 03:58 AM

HI;

 

I have PaloAlto FW and I have 3 ISPs and I'm using default route ( statically ) with this value ISP1 distance 5 ( Interface X), ISP2 distance 9 and ISP3 distance 15 ( Interface Y) and I've server with NAT IP using ISP3 subnet.

the server is reachable from global internet but the users who are using ISP3 they are unable to reach it after some tshoot we have done using trace route we found the following.

 

what is the issue ?

 

NOTE:

we cant apply the following

1- PBF

2- we can't update route table statically for each user

 

Trace route from NATed server using ISP3 subnet toward user using ISP3 :

Server --> Palo Alto outside interface(X)--> ISP1 -->ISP3--> ISP3 USER

 

Trace route from user using ISP3  toward NATed server using ISP3 subnet :

USER-->ISP3 --> WAN Router--> Palo Alto outside interface(Y)--> drop

 

Trace route from NATed server using ISP3 subnet toward global Internet :

Server --> Palo Alto outside interface(X)--> ISP1 --> Global Internet --> 8.8.8.8 (example)

 

Trace route from global user  toward NATed server using ISP3:

Global User --> Global Internet --> ISP3--> reach to NATed server

 

0 Likes Likes
4 REPLIES 4

SutareMayur
L6 Presenter

‎02-10-2020 06:26 PM

@black1983Hi, can you please check if traffic coming on public IP of ISP3 is coming on correct interface of firewall and doing proper NAT ?

Please check same using test security-policy and test NAT commands through cli.

 

Hope this helps !

 

Mayur

M

Check out my YouTube channel - https://www.youtube.com/@NetworkTalks
0 Likes Likes

black1983
L0 Member
In response to SutareMayur

‎02-11-2020 03:16 AM

yes the incoming traffic comes thru correct interface  (Y) whatever the source is local ISP3 or Global internet users but the different is global users thy can browse it and their traffic goes out thru ISP1 interface (X) ( asymmetrically ) !! and ISP3 users can't browse it since the FW is dropping the packet ..

 

So, why do global users can browse it with asymmetric routes while local ISP3 users can't do it ?

0 Likes Likes

rmfalconer
L5 Sessionator
In response to black1983

‎02-11-2020 07:59 AM

Can you explain what you mean by different distance for each route? Do you mean administrative distance?

0 Likes Likes

SutareMayur
L6 Presenter
In response to black1983

‎02-11-2020 07:06 PM

@black1983

 

Is it possible for your to explain it with the help of diagram ? Wanted to understand topology properly.

 

-Mayur

M

Check out my YouTube channel - https://www.youtube.com/@NetworkTalks
0 Likes Likes
  • 2755 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks