- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience.
04-24-2017 07:47 AM - edited 04-24-2017 08:04 AM
Dear Collegues,
Let imagine the following situation:
PA Firewall connected to two ISP, e1/1 - 1.1.1.1 and e1/4 - 2.2.2.2.
Default virtual router with ECMP configured with weights e1/1-50 and e1/4-50.
IPSEC tunnel configured to the remote site, IKE Gateway configured on interface e1/4.
Tunnel is green, everything seems to be fine... but:
I see around 50% packets lost.
During troubleshooting I see that half of the ESP packets goes via e1/1 and other half via e1/4.
Pacekts which goes via e1/1 has IP address of e1/4 (2.2.2.2) and are lost.
I assume that I could use a PBF to resolve this issue, am I right?
Best,
Przemek
07-14-2017 06:10 AM
Hi,
Traffic generated on the firewall, like in this case doesn't work with the PBR.
I fiexed the problem by configuring two Virtual Routers - each one for a provider.
Then instead of ECMP I configured a load sharing with redundancy (for internet traffic, not for the vpn tunnels).
Best,
Przemek.
04-24-2017 09:05 AM
Yup,
PBF is going to be the best way to actually resolve this. I imagine that the remote site has a static IP?
04-24-2017 09:31 AM
Unfortunaltely not, and it seems that I have the same issue with GlobalProtect.
I have one tunnel with static IP, and I did a workeranoud - putted static route to this particular IP.
In case of other tunnels, I putted also static routes as a temporary solution.
But of course it's not what I want to have.
Any ideas how to exactply configure PBR?
I tried with:
Zone Internet, Source IP 2.2.2.2 forwarded to e1/4 - but it doesn't work....
Cheers,
Przemek
04-25-2017 01:28 AM - edited 04-25-2017 01:56 AM
I enclosed a drawing to make it more clear.
On IKE GW local interface is configured to e1/4 - so all IKE1 traffic goes well (green line).
Unfortunately ESP packets are load balanced and goes via e1/1 and e1/4 (orange lines).
What I have to do is to force PA to send ESP packets via e1/4 interface.
ESP packets always have correct IP source address (2.2.2.2) only issue is that half of it goes via e1/1 interface.
Thank you in advance for your help.
Cheers,
Przemek
07-14-2017 06:10 AM
Hi,
Traffic generated on the firewall, like in this case doesn't work with the PBR.
I fiexed the problem by configuring two Virtual Routers - each one for a provider.
Then instead of ECMP I configured a load sharing with redundancy (for internet traffic, not for the vpn tunnels).
Best,
Przemek.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!