08-04-2017 01:09 PM
Hello Everybody,
I have several PAs for branches, we have MPLS that is connecting all our branches. We are changing our design in order to use site-to-site IPsec tunnels from each branch to the HQ. And using OSPF in our tunnel to advertise our subnets, since we are connecting one site each week, we are still advertising the subnets via BGP until we finish all sites. I'm facing an issue with the routing and the forwarding table since i'm receiving the subnets via EBGP and OSPF and because EBGP has an AD 20 and OSPF has 30 the PA is using the EBGP. To overcome this problem i lowered the AD of OSPF to 18 to become less than the EBGP. Now all my traffic must go through the tunnel and not EBGP. However, i noticed once i ping from the branch to the HQ the traffic is passing through the tunnel which is good but from the HQ PA to the branch, the traffic is using the EBGP and not the tunnel which is not logical since also the OSPF AD is less than EBGP. Is this a bug with PA IOS 8.0? or is there another issue which i'm missing.
08-04-2017 02:20 PM
Hello,
So you want all traffic to use the VPN instead of the MPLS and then remove MPLS correct? If yes, they you can utilize policy based forwarding at the remote sites until the MPLS is decommed. Also with the PBF if the VPN goes down, you have have it default back to MPLS.
Have a static route that points all traffic out via the MPLS.
Since PBF takes place prior to static routing, everything will go down the VPN via the PBF rule. If the IP in the Montior is unreachable, then the PBF is disabled and traffic will follow the static route you have defined to send down the MPLS
Once the VPN is available again, the monitor will notice and reenable the PBF so then all traffic will flow down the VPN path.
Additional detailed info:
Let me know if you would like further details.
Cheers!
08-05-2017 02:38 AM
You also lowered the AD of OSPF on the HQ and not only on the branches, right? If your forwarding table is absolutely correct on the HQ and the traffic still takes the wrong path, the best you can probably do is opening a TAC case...
(What exact version of PAN-OS 8 is installed on your firewalls?)
Regards,
Remo
08-04-2017 02:20 PM
Hello,
So you want all traffic to use the VPN instead of the MPLS and then remove MPLS correct? If yes, they you can utilize policy based forwarding at the remote sites until the MPLS is decommed. Also with the PBF if the VPN goes down, you have have it default back to MPLS.
Have a static route that points all traffic out via the MPLS.
Since PBF takes place prior to static routing, everything will go down the VPN via the PBF rule. If the IP in the Montior is unreachable, then the PBF is disabled and traffic will follow the static route you have defined to send down the MPLS
Once the VPN is available again, the monitor will notice and reenable the PBF so then all traffic will flow down the VPN path.
Additional detailed info:
Let me know if you would like further details.
Cheers!
08-05-2017 02:06 AM - edited 08-05-2017 02:07 AM
Hi,
Thanks for your reply,
I know we can use a lot of work around solutions like PBF and using two static routes with different metrics and monitoring. But i planned for this scenario with dynamic routing and i have to make it work without static routing. My thing is i forced the OSPF to have the priority by lowering its AD to 18 and make it less than EBGP and it's not working from one side. Why is it using the wrong forwarding path? i need to fix it.
08-05-2017 02:38 AM
You also lowered the AD of OSPF on the HQ and not only on the branches, right? If your forwarding table is absolutely correct on the HQ and the traffic still takes the wrong path, the best you can probably do is opening a TAC case...
(What exact version of PAN-OS 8 is installed on your firewalls?)
Regards,
Remo
08-05-2017 02:44 AM - edited 08-05-2017 02:47 AM
yes, i also lowered the HQ OSPF AD. I'll proceed to open a case.
I'm using PA 8.0
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
