GP stops working when ecmp is enabled

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

GP stops working when ecmp is enabled

L1 Bithead

We have Palo Alto firewall with three Internet links. One is a leased line and other two are ADSL links. I have configured ECMP on the two ADSL lines to load balance traffic on the two ADSL links. Global Protect is configured on the leased line. I have configured default route to all the three internet links in the firewall. I have configured the default route for leased line with AD and metric to be lower than that of the ADSL links, then the global protect works fine, however the ADSL links do not appear in the FIB and thereby traffic does not go through the ADSL links. If the default route for the ADSL links are configured with AD and metric lower than that of leased line, the ADSL links appear in the FIB and loadbalancing of traffic over ADSL links work fine, however the global protect does not work as the default route for leased line is not added to FIB.

 

Any suggestions so that the load balancing is done on the ADSL links and global protect works fine?

 

 

11 REPLIES 11

Cyber Elite
Cyber Elite

What is your ideal goal? Which links you want to use for Internet and which not?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Hi Raido,

 

leased line for global protect

Two adsl links for user internet

 

Thanks

Cyber Elite
Cyber Elite

Virtual router can only route based on destination IP.

 

Set up ADSL links with same AD and metric.

ECMP will load balance outgoing traffic over those links.

 

For GlobalProtect set up PBF

Policies > Policy Based Forwarding

Source zone - GlobalProtect

Destination IP - "Not RFC1918 IP"

Next hop - Leased line ISP IP

 

PBF policies are checked before virtual router.

If any of PBF policies match then traffic will be routed accordingly and virtual router won't be checked.

 

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Hi Raido,

 

I have tried this pbr rule but it didn’t work:

 

source - leased line interface 

destination - any

next hop - gateway of leased line isp

 

Isn’t it the same?

 

Thanks,

 

Cyber Elite
Cyber Elite

No it is not the same because GlobalProtect traffic is not coming from leased line interface but it is arriving into Palo from GlobalProtect zone.

Tunnel interface that is configured in GlobalProtect gateway config has dedicated zone assigned or are you using genera INSIDE zone for that?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Hi Raido,

 

In my case, the global protect agent is not getting connected 

 

Thanks,

 

Cyber Elite
Cyber Elite

Probably because replies to incoming GlobalProtect connection attempts get response back from ADSL interface due routing preference.

 

No good solution.

I guess best is to set up dedicated virtual router for leased line.

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Cyber Elite
Cyber Elite

Hi @Dijesh ,

 

Enable Symmetric Return for ECMP and GP should work fine.  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/network/network-virtual-route...

 

Your scenario is the reason the Symmetric Return option is there.  We want the GP return packets to always go out the same interface they came in and not be load balanced.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Cyber Elite
Cyber Elite

Symmetric return overrides ECMP load balancing algorithm but it does not override fact that 0.0.0.0/0 route towards leased line does not exist in the forwarding table.

 

Default route towards leased line can't have same ad/metric because then outgoing traffic would also start using it.

Symmetric return would help only if all 3 ISP links (leased line and 2x ADSL) would have same AD and metric.

As goal is to load balance outgoing traffic out over both ADSL links (and not leased line) only feasible option is to place leased line interface into it's own virtual router.


Theoretically you could try to change load balance algorithm to "Weighted Round Robin", add all 3 ISP interfaces into the list, set both ADSL link weights to 255 and leased line weight to 1.
In this case only tiny amount of sessions would take outgoing path over leased line but it would not be completely zero. Benefit would be that all ISP links stay in same virtual router.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Hi Raido,

 

Thanks for your suggestions. Assigning the leased line to a separate virtual router fixed the issue.

 

Thanks,

Cyber Elite
Cyber Elite

Hi @Raido_Rattameister ,

 

Thanks for clarifying the design.  I missed that part.

 

Hi @Dijesh ,

 

We are glad it is working!  Please mark @Raido_Rattameister reply as the solution.

 

Tom

Help the community: Like helpful comments and mark solutions.
  • 2393 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!