07-01-2020 04:16 AM
Hi Team,
I had a default route 0.0.0.0 with metric as ""12'". cable connected on 1/2 and link up path monitor not enabled.
We had added one more route 0.0.0.0 with matric as "10".cable not connected on 1/6 interface and port down path monitor not enabled.
In the above scenario what will happen ? will there be any impact on existing traffic.
07-01-2020 04:28 AM
In PA, static routes are truly static which means their status wont change irrespective of interface status if no path monitor is enabled. So in your case traffic always prefers route with lower metric (10) as path monitoring is not enabled on it. Since 1/6 down, there will be impact to all the traffic which is taking this route.
07-01-2020 04:28 AM
In PA, static routes are truly static which means their status wont change irrespective of interface status if no path monitor is enabled. So in your case traffic always prefers route with lower metric (10) as path monitoring is not enabled on it. Since 1/6 down, there will be impact to all the traffic which is taking this route.
07-02-2020 05:28 AM - edited 07-02-2020 05:30 AM
Wait what?
@Rajesh12statement is completely wrong!
If an interface is physically down any static route associated with this interface will be remove from the forwarding table (FIB) and it will not be used to forward traffic. It has nothing to do with path monitor - in fact the path monitor is intended to cover situation where there is network problem, but for some reason the interface is still physically up (for example the FW is connect to layer 2 switch, which keeps the fw interface physically up, while the next layer3 device has some problems). That is why it called path monitor - you are interested if the actual network path is working, no matter if the physical connection is up or down.
This is basic network fundamentals - it has nothing to do with device vendor - each network device will always remove the route from FIB if the outbound interface is physically down.
@omprasadaxnow that we cover basic networking, lets return to your case - if you have two static routes (it doesn't matter if they are defaults or not), with different metric, the FW will have both in its routing tabel (RIB), but it will prefer the one with better metric put it in the forwarding table (FIB). If the interface associated with this route became physically down FW will remove this route from the FIB and install the other one. Effectively you will achieve fail-over.However! Firewall will failover to the secondary route only if first interface is physically down, which is way it is better to enable path monitor. That way you will assure proper failove over.
But if don't want to take my words for granted you can check Palo Alto official documentation for the path monitor. - https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/static-routes/static-route-remo...
In the following figure, the firewall is connected to two ISPs for route redundancy to the internet. The primary default route 0.0.0.0 (metric 10) uses Next Hop 192.0.2.10; the secondary default route 0.0.0.0 (metric 50) uses Next Hop 198.51.100.1. <b>The customer premises equipment (CPE) for ISP A keeps the primary physical link active, even after internet connectivity goes down. With the link artificially active, the firewall can’t detect that the link is down and that it should replace the failed route with the secondary route in its RIB.</b>
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
