05-27-2017 06:27 PM
Hi
If I have a TCP stream that is initiated and because of routing changes now has to flow through my PA, how to I allow this through.
On my other firewall's I can allow non SYN and SYN/ACK through but block SYN's.. How does one do that on a PA with policies ?
Alex
06-20-2017 04:03 PM
No loopback.2 is not part of the same zone.
does zoning influence routing ?
I will see if I can describe it again, maybe better.
2 PA - active active
1 trunk (LACP) into the switch ae.1
2 vlans'
213 zone ospf
217 zone app server
loopback.1 zone ospf - routerid
loopback.2 zone inf - Global protect portal - HA IP but fail over , bound to primary no ip arp loading sharing
213 - no HA active ip. but active OSPF interface
217 - HA active ip, enabled ospf but passive ip - arp load sharing
this is duplicated on the PA's - pa1 and pa2 ... pa1 is the active primary and pa2 - active backup
if I have a host PC in vlan 217 that happens to use PA2 , because of the algo used to share.
A packet going from the PC to GP portal goes like this
PC -> vlan 217 -> PA2 -> out via vlan 213 - because OSPF routes this way -> PA1 -> loopback.2
return path
loopback.2 -> vlan 217 because its directly attached to vlan217.
06-25-2017 12:07 AM
Found best practise setup for OSPF Active / Active
With asym
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
