Issues with Dual ISP Failover

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Issues with Dual ISP Failover

L3 Networker

I followed these instructions to set up ISP failover : https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLL8CAO

 

When the primary ISP1 goes down, it does indeed fail over to secondary ISP2, in every respect except that traffic doesn't use ISP2's NAT automatically. Upon failover, traffic continues trying to use the NAT rule associated with ISP1.  I have to manually go in and DISABLE ISP1's NAT rule, then traffic starts automatically flowing as expected via the NAT rule that exists for ISP2.

 

What can I do so that this NAT switch happens automatically upon failover? 

1 accepted solution

Accepted Solutions

Hi @pomologist ,

Looking at your screenshot it seems you have missed one key component when configuring the NAT rules - Destination Interface.

Astardzhiev_0-1661167836263.png

 

NAT rules are evaluated the same way as security rules - first match, top to bottom.

When you configured only source and destination zone for the NAT (using any for source/dest IPs) traffic will always hit the first rule and never reach the second one.

 

For that reason you must configure "Destination Interface", this will add the egressing interface as part of the matching criteria when evaluating the NAT rules.


So when your primary ISP is up and traffic is using the primary default route your egress/destination interface will be eth1/1 (primary internet).

When primary ISP is down and path monitor "disable" the primary default, traffic will take the backup default, buth this means egress/destination interface will be different, so this traffic will no longer match the first NAT rule and NAT evaluation will keep looking down reaching the second NAT rule.

 

Hope that make sense

View solution in original post

3 REPLIES 3

L3 Networker

Update:

Here are two screenshots that I hope will make things clearer. 

 

Something bizarre is going on.  ISP1 uses Eth1/1 Interface.  ISP2 uses Eth1/2 interface.  Bizarre thing is that Eth1/1 traffic is NATing through Eth 1/2's NAT rule successfully!  See photos.  What's going on? HELP!

Shot 2.jpgShot 1.jpg

Hi @pomologist ,

Looking at your screenshot it seems you have missed one key component when configuring the NAT rules - Destination Interface.

Astardzhiev_0-1661167836263.png

 

NAT rules are evaluated the same way as security rules - first match, top to bottom.

When you configured only source and destination zone for the NAT (using any for source/dest IPs) traffic will always hit the first rule and never reach the second one.

 

For that reason you must configure "Destination Interface", this will add the egressing interface as part of the matching criteria when evaluating the NAT rules.


So when your primary ISP is up and traffic is using the primary default route your egress/destination interface will be eth1/1 (primary internet).

When primary ISP is down and path monitor "disable" the primary default, traffic will take the backup default, buth this means egress/destination interface will be different, so this traffic will no longer match the first NAT rule and NAT evaluation will keep looking down reaching the second NAT rule.

 

Hope that make sense

L3 Networker

THANK YOU SO MUCH!!! I don't know how I missed that!  Yes of course it makes perfect sense.  I so much appreciate you pointing this out.

  • 1 accepted solution
  • 4349 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!