I essentially have 2 ISPs (for load balancing or backup if one fails)
both isp directly connected to palo.
some applications tied via DNS to one isp (168.x.x.x. (primary)) others tied to secondary 207.x.x.x and are then NATed into my private ip range
seems everything works on the 168 side but not working on the 207 side, palo support said there wasn't a route set up to 207. but in my default virtual router both isp are setup (static routes). i'll provide more details if you need/want
Has symmetric return been enabled under ECMP on the VR?
As a sanity check, what packet captures have you performed? Can you see the packets arriving via ISP2 ? Do you see them leaving the firewall after being NAT'd and then seem the replies coming back to the firewall? Do you see the return traffic egressing via the WAN interfaces?
You are not seeing any packets on the ISP2 interface coming inbound?? Can you ping your next-hop router on that link?
How have you configured routing, do you dynamically advertise prefixes to the ISP?
The services which you advertise via DNS on the ISP2 address space, do those IP addresses reside on the same subnet as the WAN interface, or have you carved your ISP allocation up and have say a /30 between you and the ISP another subnet (/28? ) which comprises of your service IPs?
i am seeing traffic coming in on the isp2 interface, I'm temporarily allowing ping on the ip of the isp2 interface an i can ping that, i haven't tried pinging the next hop address (i will soon as i can).
i have static routing set up for both my ISPs (virtual router, static routes) - I'm not sure about the prefixes for the ISPs, how do i check this?
the address are in a /26 and the wan interface is set up as a /26 so it resides in the same range
Your routing setup sounds fine as does your configuration of the /26 subnet on your ISP2 WAN interfaces. Given that it is only a single /26 subnet it is safe to assume that they have also configured a static route for that single prefix directed towards your firewall. As you have captured inbound traffic on the ISP2 link we can assume their routing configuration is correct.
For the packets ingressing the ISP2 WAN interface, do you see them leaving on an 'inside/ trust' zone towards your servers and a reply coming back. If you don't see the reply in the TX capture buffer on the ISP2 WAN interface, does it appear to leave via the ISP1 WAN interface? If it is not leaving via either WAN interface, do you see anything in the traffic log to indicate what is happening to this flow?
i have it working now, thanks for all your help, to be honest i changes several things throughout this process so not sure exactly what was the final fix. But i did have some PBF rules that i think were causing the issue, I removed them and added a second nat rule for my secondary isp (i believe that was also missing) but it's working now!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!