07-03-2023 05:14 AM
if i have 2 isps, same bandwidth, used for load balancing with ECMP do i need 1 or 2 virtual routers?
07-03-2023 05:25 AM
Hi there,
In the simplest and probably most likely WAN design, yes, a single virtual router with ECMP enabled should route both of the ISP links as locally connected interfaces.
cheers,
Seb.
07-03-2023 05:25 AM
Hi there,
In the simplest and probably most likely WAN design, yes, a single virtual router with ECMP enabled should route both of the ISP links as locally connected interfaces.
cheers,
Seb.
07-03-2023 05:32 AM
that's what i thought, but had support trying to have me add a second virtual router for my 2nd isp, I'm having routing issues to one of my servers on my secondary isp.
07-03-2023 05:46 AM
Hi there,
Connecting the second ISP to another VR and then configuring routing between the VRs *is* a valid option but (without knowing more about your requirements) is probably not the right one.
cheers,
Seb.
07-03-2023 07:17 AM
I essentially have 2 ISPs (for load balancing or backup if one fails)
both isp directly connected to palo.
some applications tied via DNS to one isp (168.x.x.x. (primary)) others tied to secondary 207.x.x.x and are then NATed into my private ip range
seems everything works on the 168 side but not working on the 207 side, palo support said there wasn't a route set up to 207. but in my default virtual router both isp are setup (static routes). i'll provide more details if you need/want
07-03-2023 08:16 AM
Has symmetric return been enabled under ECMP on the VR?
As a sanity check, what packet captures have you performed? Can you see the packets arriving via ISP2 ? Do you see them leaving the firewall after being NAT'd and then seem the replies coming back to the firewall? Do you see the return traffic egressing via the WAN interfaces?
cheers,
Seb.
07-03-2023 09:17 AM
symmetric return is on and per support i have ran packet captures from an external pc to my app (sharepoint) that's not working, and the packet capture looks too show a no response
07-03-2023 01:23 PM
Hi there,
You are not seeing any packets on the ISP2 interface coming inbound?? Can you ping your next-hop router on that link?
How have you configured routing, do you dynamically advertise prefixes to the ISP?
The services which you advertise via DNS on the ISP2 address space, do those IP addresses reside on the same subnet as the WAN interface, or have you carved your ISP allocation up and have say a /30 between you and the ISP another subnet (/28? ) which comprises of your service IPs?
cheers,
Seb.
07-03-2023 06:30 PM
i am seeing traffic coming in on the isp2 interface, I'm temporarily allowing ping on the ip of the isp2 interface an i can ping that, i haven't tried pinging the next hop address (i will soon as i can).
i have static routing set up for both my ISPs (virtual router, static routes) - I'm not sure about the prefixes for the ISPs, how do i check this?
the address are in a /26 and the wan interface is set up as a /26 so it resides in the same range
07-06-2023 05:38 AM
Hi there,
Your routing setup sounds fine as does your configuration of the /26 subnet on your ISP2 WAN interfaces. Given that it is only a single /26 subnet it is safe to assume that they have also configured a static route for that single prefix directed towards your firewall. As you have captured inbound traffic on the ISP2 link we can assume their routing configuration is correct.
For the packets ingressing the ISP2 WAN interface, do you see them leaving on an 'inside/ trust' zone towards your servers and a reply coming back. If you don't see the reply in the TX capture buffer on the ISP2 WAN interface, does it appear to leave via the ISP1 WAN interface? If it is not leaving via either WAN interface, do you see anything in the traffic log to indicate what is happening to this flow?
cheers,
Seb.
07-06-2023 09:04 AM
i have it working now, thanks for all your help, to be honest i changes several things throughout this process so not sure exactly what was the final fix. But i did have some PBF rules that i think were causing the issue, I removed them and added a second nat rule for my secondary isp (i believe that was also missing) but it's working now!
07-07-2023 03:39 AM
Glad to hear you worked it out!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
