- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.
10-17-2016 08:35 PM
Hi,
this is the scenario:
- ISP1 : only for GlobalProtect
-ISP2 : only for Internet access
ISP1 has distance 10 and metric 10
ISP2 has distance 10 and metric 15
in this scenario the ISP1 interface responds to Global protect gateway/portal no problem. Also ISP2 pings, and i can access management through ISP2 public ip.
If i change the metric to ISP1 to 20, ISP2 becomes primary. BUT ISP1 no longer responds to pings nor GlobalProtect nor management, nothing.
It appears that returning traffic entering ISP1 go out through ISP2 no matter what if ISP2 is preferred. The other way around tho, when ISP1 is primary, traffic entering ISP2 get out ISP2.
any clues?
thanks
10-17-2016 11:00 PM
I have resolved like this:
- created a default route to ISP1 (usuale way in the Virtual route).
- removed ISP2 as second default route with higher metric
- added PBF to force traffic from lan to ISP2, and negate routing to internal networks (so only traffic to 0.0.0.0/0 would be intercepted).
- This kept ISP1 accessible while forcing traffic originating from LAN to ISP2. (and ISP2 is still accessible somehow)
Very akward way to achieve a working configuration in such scenario, but thats it.
10-17-2016 11:00 PM
I have resolved like this:
- created a default route to ISP1 (usuale way in the Virtual route).
- removed ISP2 as second default route with higher metric
- added PBF to force traffic from lan to ISP2, and negate routing to internal networks (so only traffic to 0.0.0.0/0 would be intercepted).
- This kept ISP1 accessible while forcing traffic originating from LAN to ISP2. (and ISP2 is still accessible somehow)
Very akward way to achieve a working configuration in such scenario, but thats it.
10-22-2016 05:54 AM
An alternative way to configure this would be to place your Global Protect ISP into a separate virtual router. This would isloate and give this traffic their own routing table.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!