Need some suggestion about the routing between 2 internet outgoing interfaces

Reply
Highlighted
L2 Linker

Need some suggestion about the routing between 2 internet outgoing interfaces

I recently submitted a case to PA support about 1 of the internet facing interface cannot contact outside nor contact from outside. Use ping to diagnostic and found that the ping (request) and ping (reply) use 2 different route ).

 

This is because the 2 interfaces has its own zone and for different purpose:

1. Staff use the 1st data line, and use the 2nd data line if first one down.

2. Guest use only the second data line.

This was achive by NAT and Policy Based Forwarding.

The problematic one is the 2nd interface which has the issue of asymmetric routing.

 

But I setup only 1 virtual router which the static route of 1st data line has its priority higher. This cause the outgoing always use 1st interface, return from 2nd interface.

 

PA support suggest I merge the 2 interfaces in to the same zone. But I doubt this may violate to the network design mentioned above.

 

Is there anyway to force the 2nd interface outgoing and incoming always use the same route?

Highlighted
L5 Sessionator

Re: Need some suggestion about the routing between 2 internet outgoing interfaces

What about if you point your default route to your 2nd data line, then do a PBF to force traffic (for staff only if thats what your requirement is) to go out via 1st data line then enable "enforce symmetric return" option?

 

On the PBF rule you would then enable monitoring so if the gateway for the 1st data line is unreachable the failover to the 2nd data line works by going out via the default route after the PBF rule is disabled as per option "Disable this rule if nexthop/monitor is unreachable"

 

Cheers,

Luke.

Highlighted
L2 Linker

Re: Need some suggestion about the routing between 2 internet outgoing interfaces

hello LukeBullimore,

If I set the 2nd data line to higher priority. Will the same problem happen on the 1st data line?

In my current settings, user subnet can use the 2nd data line to reach internet. Only the interface cannot. I want to use this interface for send alert email and get PAN-OS update.

1st data line has no service route need. But I still hope it can be ping.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!