Dual ISP failover - stuck UDP sessions

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Dual ISP failover - stuck UDP sessions

L0 Member

Hi, I've configured Dual ISP failover using a PBF and everything seems to failover from ISP1 to ISP2  just fine. My issue is after we have failed over to ISP2 and ISP1 comes back online, not all traffic flips back to ISP1. 

 

UDP sessions for devices that have a keep alive or heart beat seem to be the most problematic. Currently the SIP/RTP traffic from my phones seems to be causing the most issues. How can i get the Palo Alto to kill those sessions once the primary ISP comes back online? My ISP2 is a metered LTE connection and I'd like to save as much data as possible. When i look at the sessions in the CLI, the sessions that are on ISP2 still get renewed even when ISP1 is online and they never end unless i clear the sessions manually or i pull the network cable out of the LTE router. 

 

Any help would be appreciated!

6 REPLIES 6

Cyber Elite
Cyber Elite

I don't think you are going to be able to do anything but clear them out manually. The session is going to stay on the route until it ages-out or is cleared, it won't go back through the process of deciding a path because it already has one open. 

Write a script (in your prefered programming language) which:

- checks ISP1 periodically,

- set a trigger to detect if ISP1 goes down, 

- after ISP1 is down it waits till it comes back up again, 

- when ISP1 comes back it uses PA XML API to disable ISP2 (brings interface down) for a short while

 

I know it's not elegant and it takes some careful planning on conditions, but it could work.

 

 

Sadly @santonic probably has the most 'elegent' solution to this issue as long as you are comfortable enough to script something like this. 

L4 Transporter

You'll find your solution in the KB below.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBmqCAG

 

PCSNE - CISSP

Best Effort contributor

Check out our PANCast Channel

Disclaimer : All messages are my personal ones and do not represent my company's view in any way.

L1 Bithead

Hi all, checking in to see if an automated solution was identified for this scenario or if you simply decided to manually clear these sessions when failover over to another link?

Hello Trjohnson,

You open the KB I shared, and you try it.

Regards

Olivier

PCSNE - CISSP

Best Effort contributor

Check out our PANCast Channel

Disclaimer : All messages are my personal ones and do not represent my company's view in any way.

  • 6481 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!