This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

External ping to public ip of secondary ISP interface.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

External ping to public ip of secondary ISP interface.

Dyardley
L0 Member

‎11-23-2021 07:24 AM

I am having issues allowing pings on my secondary ISP interface. I have a dual ISP set up with my main connection a 10gbit connection with ISP1 and a backup 1gbit with ISP2. I am currently using path monitoring for internet failover and I also have a few PBF rules for some traffic to leave through ISP2. I was asked by ISP2 to allow ICMP for their subnet so they can monitor the connection. So I set up a second management profile that only allowed ping from their subnet and applied it to that interface. They still can seem to get a response when they ping it. Is there something else that I am missing? 

0 Likes Likes
2 REPLIES 2

SutareMayur
Cyber Elite
Cyber Elite

‎11-23-2021 09:15 AM

Hi @Dyardley ,

 

If other end is still not able to ping the palo alto interface, did you checked the traffic logs? Traffic logs should give you clarity on what's actually happening. 

M
0 Likes Likes

johnwalshaw
L2 Linker

‎11-25-2021 02:42 PM

I literally just configured this.  I have the default virtual router and then a separate virtual router for each ISP (hub and spoke). With this method, you can prevent the dedicated ISP virtual routers having a zero route to the other ISP.  Therefore path monitoring will have the desired effect to flush the zero route for that specific ISP. You need to create a loopback on each virtual router.  Then create static routes (hub and spoke) to each ISP router (requires loopback). You can then configure eBGP on those links, along with redistribute. The method I used was local pref on the internal (default) virtual router to designate primary and secondary ISP.  The failover is tuned to 3 seconds and then hold time of 2 minutes for fail back. PDF with screenshot can be found here, although this is not a how-to guide, it will give you some of the main concepts.

 

https://www.linkedin.com/feed/update/urn:li:activity:6869729830720688128/

0 Likes Likes
  • 2603 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks