- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-07-2021 12:27 AM
Hello all,
we have configuration with dual ISP.
From the 1st provider we get public IP directly on the PA
2nd provider is with nat, i mean on PA we have private IP.
When the route goes through the 1st one everything works fine.
When we switch to the 2nd one there is a problems . In the monitoring tab i can see all requests to Internet zone ends with "Incomplete, aged out".
Meanwhile we have IPSec's configured and they worked just fine from the both providers.
Can someone suggest what can be the problem?
Thank you in advance!
03-07-2021 10:30 PM
Hi @stef ,
As it is showing the incomplete and you are facing problems to reach only the internet, you need to first verify the NAT configuration and check if Source NAT before going to ISP gateway is happening properly. Although the IPSEC is working fine through the circuit, re-verify the reverse path/routing config if it is clear. You need to have routes on the firewall to reach the backend hosts subnet who are sending the internet requests.
03-08-2021 02:14 PM
Hello,
I agree this sounds like a routing/NAT issue. Are you using PBF for the fail over? Or are both ISP's live at the same time and routing traffic?
Please advise,
03-09-2021 05:54 AM
Hello
I dont use PBF. They are both up.
I have default routes with different Metrics
03-09-2021 06:01 AM
Just agreeing with everybody else really, it does sound like a NAT issue, I would make sure all routes and NAT's makes sense and then look further from there.
03-14-2021 07:37 AM
Indeed it was routing issue.
I push the config from Panorama.
Nat policy changed to ISP2, but the default route remain the same because the Virtual router config was overwritten and the changes from panorama didnt applied .
Thank you all for your responses!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!