03-16-2018 04:33 AM - edited 03-16-2018 04:48 AM
We are configuring a new routing scenario but we are expecting problem taking the correct route.
This is our static route table:
destination interface gateway metric
10.50.1.0/24 eth1/1 10.50.250.1 1
10.50.2.0/24 eth1/1 10.50.250.1 1
10.0.0.0/8 eth1/5 10.50.50.4 10
If we run a "test routing fib.....", we can see all traffic going to 10.0.0.0/8 route. Although we have two /24 routes.
If we run a session to ip 10.50.2.10 (second route). The firewall is sending the traffic to gateway 10.50.50.4. Why???
We have two routes more restrictive and with more metric in order to take preference but its not working.
I undertand that the static routers election is:
1) Metric (less metric. more preference)
2) Restrictive route. Mask /8 is less preference than /24.
Why FW is taking the route /8??? We have had to create PBR in order to solve it.
03-16-2018 05:48 AM
Its quite simple.
We have a 10.0.0.0/8 route going to eth5 interface. But we want that several /24 networks take another different interface.
To my undertand i thought that metric or restrictive route will take preference over /8 route.
03-16-2018 05:51 AM
yes it does. /24 beats /8, regardless of metric.
but only if the route is valid.
please post the ip interfaces of eth1/1 and eth1/5. this may show that your route is invalid,
03-16-2018 06:07 AM
Eth1/1 FW IP is 10.50.250.2
Eth1/5 FW IP is 10.50.50.5
I dont think this is related to IP interface.
03-16-2018 06:24 AM
This should work as expected, can you share the rest of your config (interface ip's and full routing table, possibly the output of show routing route etc) so we can have a better view of what could be going on?
your assumption is conrrect theat the smaller subnet should get preference over the supernet, but maybe we're missing something in the bigger picture
03-16-2018 06:38 AM
This is the scenario. We have the routes to avoid asymmetric routing.
Its weird that evrything is taking the /8 route.
03-16-2018 06:47 AM
what is the subnet mask of 10.50.50.5
03-16-2018 06:53 AM
/28. we have HSRP in 4500 device
03-16-2018 07:02 AM
just as a test... if you add the following static route..
destination interface gateway metric
172.21.50.0/24 eth1/1 10.50.250.1 1
and trace route to 172.21.50.1, where does that go... 250.1 or 50.4 ?
03-16-2018 08:53 AM
What version of PAN-OS are you running? Did you verify that all of the routes are actually showing up in the fib on Palo Alto firewall (you may have to disable PBR to see this)? Is interface monitoring enabled?
03-19-2018 12:39 AM - edited 03-19-2018 12:42 AM
PanOS is: 6.1.14
This is the routing table.
FW is always taking the route 10.0.0.0./8, although we have several /24.....
03-19-2018 02:25 AM
are you sure 10.50.250.1 is a valid interface.
if not then your /24 routes will depreciate and /8 will be used.
03-19-2018 02:35 AM
03-19-2018 02:38 AM - edited 03-19-2018 02:40 AM
can you double check if the 10.50.250.0 subnet shows up in the routing table as 'connected' (and a /32 as 'Host') , this is necessary for it to be useable as nexthop for other routes
reaper@myNGFW> show routing route flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp, Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2, E:ecmp, M:multicast VIRTUAL ROUTER: vr_internet (id 1) ========== destination nexthop metric flags age interface next-AS 0.0.0.0/0 198.51.100.1 10 A S ethernet1/1 198.51.100.0/24 198.51.100.241 0 A C ethernet1/1 198.51.100.241/32 0.0.0.0 0 A H
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!