This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Issues with Dual ISP Failover

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Issues with Dual ISP Failover

Go to solution
pomologist
L3 Networker

‎08-19-2022 02:48 PM

I followed these instructions to set up ISP failover : https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLL8CAO

 

When the primary ISP1 goes down, it does indeed fail over to secondary ISP2, in every respect except that traffic doesn't use ISP2's NAT automatically. Upon failover, traffic continues trying to use the NAT rule associated with ISP1.  I have to manually go in and DISABLE ISP1's NAT rule, then traffic starts automatically flowing as expected via the NAT rule that exists for ISP2.

 

What can I do so that this NAT switch happens automatically upon failover? 

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
aleksandar.astardzhiev
Cyber Elite
Cyber Elite
In response to pomologist

‎08-22-2022 04:34 AM

Hi @pomologist ,

Looking at your screenshot it seems you have missed one key component when configuring the NAT rules - Destination Interface.

Astardzhiev_0-1661167836263.png

 

NAT rules are evaluated the same way as security rules - first match, top to bottom.

When you configured only source and destination zone for the NAT (using any for source/dest IPs) traffic will always hit the first rule and never reach the second one.

 

For that reason you must configure "Destination Interface", this will add the egressing interface as part of the matching criteria when evaluating the NAT rules.


So when your primary ISP is up and traffic is using the primary default route your egress/destination interface will be eth1/1 (primary internet).

When primary ISP is down and path monitor "disable" the primary default, traffic will take the backup default, buth this means egress/destination interface will be different, so this traffic will no longer match the first NAT rule and NAT evaluation will keep looking down reaching the second NAT rule.

 

Hope that make sense

View solution in original post

(1)
3 REPLIES 3

Go to solution
pomologist
L3 Networker

‎08-21-2022 08:47 AM - edited ‎08-21-2022 08:49 AM

Update:

Here are two screenshots that I hope will make things clearer. 

 

Something bizarre is going on.  ISP1 uses Eth1/1 Interface.  ISP2 uses Eth1/2 interface.  Bizarre thing is that Eth1/1 traffic is NATing through Eth 1/2's NAT rule successfully!  See photos.  What's going on? HELP!

Shot 2.jpgShot 1.jpg

0 Likes Likes

Go to solution
aleksandar.astardzhiev
Cyber Elite
Cyber Elite
In response to pomologist

‎08-22-2022 04:34 AM

Hi @pomologist ,

Looking at your screenshot it seems you have missed one key component when configuring the NAT rules - Destination Interface.

Astardzhiev_0-1661167836263.png

 

NAT rules are evaluated the same way as security rules - first match, top to bottom.

When you configured only source and destination zone for the NAT (using any for source/dest IPs) traffic will always hit the first rule and never reach the second one.

 

For that reason you must configure "Destination Interface", this will add the egressing interface as part of the matching criteria when evaluating the NAT rules.


So when your primary ISP is up and traffic is using the primary default route your egress/destination interface will be eth1/1 (primary internet).

When primary ISP is down and path monitor "disable" the primary default, traffic will take the backup default, buth this means egress/destination interface will be different, so this traffic will no longer match the first NAT rule and NAT evaluation will keep looking down reaching the second NAT rule.

 

Hope that make sense

(1)

Go to solution
pomologist
L3 Networker

‎08-22-2022 06:39 AM

THANK YOU SO MUCH!!! I don't know how I missed that!  Yes of course it makes perfect sense.  I so much appreciate you pointing this out.

  • 1 accepted solution
  • 4164 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks