we have configuration with dual ISP.
From the 1st provider we get public IP directly on the PA
2nd provider is with nat, i mean on PA we have private IP.
When the route goes through the 1st one everything works fine.
When we switch to the 2nd one there is a problems . In the monitoring tab i can see all requests to Internet zone ends with "Incomplete, aged out".
Meanwhile we have IPSec's configured and they worked just fine from the both providers.
Can someone suggest what can be the problem?
Thank you in advance!
Hi @stef ,
As it is showing the incomplete and you are facing problems to reach only the internet, you need to first verify the NAT configuration and check if Source NAT before going to ISP gateway is happening properly. Although the IPSEC is working fine through the circuit, re-verify the reverse path/routing config if it is clear. You need to have routes on the firewall to reach the backend hosts subnet who are sending the internet requests.
Just agreeing with everybody else really, it does sound like a NAT issue, I would make sure all routes and NAT's makes sense and then look further from there.
Indeed it was routing issue.
I push the config from Panorama.
Nat policy changed to ISP2, but the default route remain the same because the Virtual router config was overwritten and the changes from panorama didnt applied .
Thank you all for your responses!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!