02-09-2024 04:49 PM - edited 02-14-2024 12:41 PM
Hello,
We've set up a dual leased line configuration with BT, featuring two separate gateways. Our primary aim is to ensure continuous connectivity, should one of the lines fail.
Our PA 220's static routing has been configured as follows:
- For BT1, we've assigned Ethernet interface 4 with a default route (0.0.0.0/0) having an administrative distance of 10 and a metric of 10, pointing to its specific gateway.
- For BT2, Ethernet interface 5 is set up similarly, with a default route but an administrative distance of 20 and a metric of 20, also pointing to its designated gateway.
Path monitoring has been enabled for both lines.
Both interfaces are in the same zone, with ECMP activated to support symmetric return traffic, utilizing the IP modulo method for traffic distribution.
We've achieved theoretical line redundancy; either line can take over if the other fails. However, we encounter an issue with NAT policy prioritization. The system only routes traffic correctly if the NAT policy for the active line is listed first. If we disconnect one line and the NAT policy for the disconnected line appears at the top, the system fails to bypass it for the active line's NAT policy.
Our setup is on PAN-OS 11.
What adjustments are necessary to ensure seamless failover between the two lines without manual NAT policy reordering?
EDIT:
some progress, interfaces selection indeed solved that issue, but now similar one with the two tunnels (one for each line) to azure where our Domain controller with DNS is. Only the line with the top priority tunnel will work, is it possible to ignore the tunnel which is disconnected? I was planning to use path monitoring but in the source drop down, I can only select PPPoE or DHCP while I have a static address.
02-11-2024 06:14 PM
Hello @paul.faisant ,
As you've mentioned that both lease line interfaces are in same zone, can you confirm the NAT configuration?
Can you check if you've configured the destination interface in NAT policy? If you haven't configured, please configure destination interfaces in the respective NAT policies and then check.
02-12-2024 12:33 AM
I concur with @SutareMayur , your NAT rules need to be configured with a destination interface for this to work properly
02-14-2024 12:42 PM
EDIT:
some progress, interfaces selection indeed solved that issue, but now similar one with the two tunnels (one for each line) to azure where our Domain controller with DNS is. Only the line with the top priority tunnel will work, is it possible to ignore the tunnel which is disconnected? I was planning to use path monitoring but in the source drop down, I can only select PPPoE or DHCP while I have a static address.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
