dual ISPs ECMP and virtual routes

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

dual ISPs ECMP and virtual routes

L2 Linker

if i have 2 isps, same bandwidth, used for load balancing with ECMP do i need 1 or 2 virtual routers?

1 accepted solution

Accepted Solutions

L4 Transporter

Hi there,

In the simplest and probably most likely WAN design, yes, a single virtual router with ECMP enabled should route both of the ISP links as locally connected interfaces.

 

cheers,

Seb.

View solution in original post

11 REPLIES 11

L4 Transporter

Hi there,

In the simplest and probably most likely WAN design, yes, a single virtual router with ECMP enabled should route both of the ISP links as locally connected interfaces.

 

cheers,

Seb.

that's what i thought, but had support trying to have me add a second virtual router for my 2nd isp, I'm having routing issues to one of my servers on my secondary isp.

 

Hi there,

Connecting the second ISP to another VR and then configuring routing between the VRs *is* a valid option but (without knowing more about your requirements) is probably not the right one.

 

cheers,

Seb.

I essentially have 2 ISPs (for load balancing or backup if one fails)

 

both isp directly connected to palo.

 

some applications tied via DNS to one isp (168.x.x.x. (primary)) others tied to secondary 207.x.x.x  and are then NATed into my private ip range

 

seems everything works on the 168 side but not working on the 207 side, palo support said there wasn't a route set up to 207.  but in my default virtual router both isp are setup (static routes).  i'll provide more details if you need/want

L4 Transporter

Has symmetric return been enabled under ECMP on the VR?

 

As a sanity check, what packet captures have you performed? Can you see the packets arriving via ISP2 ? Do you see them leaving the firewall after being NAT'd and then seem the replies coming back to the firewall? Do you see the return traffic egressing via the WAN interfaces?

 

cheers,

Seb.

symmetric return is on and per support i have ran packet captures from an external pc to my app (sharepoint) that's not working, and the packet capture looks too show a no response

L4 Transporter

Hi there,

You are not seeing any packets on the ISP2 interface coming inbound?? Can you ping your next-hop router on that link?

How have you configured routing, do you dynamically advertise prefixes to the ISP?

The services which you advertise via DNS on the ISP2 address space, do those IP addresses reside on the same subnet as the WAN interface, or have you carved your ISP allocation up and have say a /30 between you and the ISP another subnet (/28? ) which comprises of your service IPs?

 

cheers,

Seb.

i am seeing traffic coming in on the isp2 interface, I'm temporarily allowing ping on the ip of the isp2 interface an i can ping that, i haven't tried pinging the next hop address (i will soon as i can). 

i have static routing set up for both my ISPs (virtual router, static routes) - I'm not sure about the prefixes for the ISPs, how do i check this?

the address are in a /26 and the wan interface is set up as a /26 so it resides in the same range

L4 Transporter

Hi there,

Your routing setup sounds fine as does your configuration of the /26 subnet on your ISP2 WAN interfaces. Given that it is only a single /26 subnet it is safe to assume that they have also configured a static route for that single prefix directed towards your firewall. As you have captured inbound traffic on the ISP2 link we can assume their routing configuration is correct.

For the packets ingressing the ISP2 WAN interface, do you see them leaving on an 'inside/ trust' zone towards your servers and a reply coming back. If you don't see the reply in the TX capture buffer on the ISP2 WAN interface, does it appear to leave via the ISP1 WAN interface? If it is not leaving via either WAN interface, do you see anything in the traffic log to indicate what is happening to this flow?

 

cheers,

Seb.

i have it working now, thanks for all your help, to be honest i changes several things throughout this process so not sure exactly what was the final fix. But i did have some PBF rules that i think were causing the issue, I removed them and added a second nat rule for my secondary isp (i believe that was also missing) but it's working now!

Glad to hear you worked it out!

  • 1 accepted solution
  • 5733 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!