Ping to internet from 2nd interface IP is not working"

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Ping to internet from 2nd interface IP is not working"

L4 Transporter

I have 2 outside interfaces configured with the below IP’s.

 

  1. When I try to ping 4.2.2.2 using source as 94.56.143.XX interface 1/1 , ping is successful ( Untrust Zone ) 
  2. But if I try ping to 4.2.2.2 & using source as 94.56.202.XXX interface 1/2, ping is unsuccessful. ( HE Zone )

When I try from HE zone , it should go through HE zone but it is going to untrust zone and getting deny

 

I mean

ISP 1 connected interface 1/3 with default route o.o.o.o of metric 5

ISP 2 Connected interface 1/2 with default route o.o.o.o metric 11

From ISP 1 interface 1/3 is pinging to 4.2.2.2 and we able to see the traffic log which allowed by intra-zone policy.

From ISP 2 interface 1/2 is not pinging to 4.2.2.2 and getting denied by Inter zone policy.

 

Its possible to ping from 1/2 interface itself toward Internet.

1 accepted solution

Accepted Solutions

@Mohammed_Yasin,

So some things to keep in mind:

 

1) The firewall is routing your traffic as you've specified with your routes. ISP1 has the lowest metric and is always going to be selected unless you utilize path-monitoring on the route so the route can be removed from the RIB and FIB, which would make your secondary route take over. This is why you are seeing the traffic as you are, the traffic is going to utilize ISP1.

 

2) IF you are using PBF to attempt to route some of the traffic through ISP2, traffic has to ingress a firewall interface to be evaluated for PBF. Traffic sourced directly from the firewall isn't going to hit any PBF you have configured. So while a PBF for traffic routing will work for clients behind the firewall, it won't work for anything terminating on the firewall itself or sourced from the firewall itself. 

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

@Mohammed_Yasin,

Sounds like you don't have a security rulebase entry that actually allows the traffic; you'll still need to allow the traffic.

Yes. there is no ruleset...

 

The interface 1/2 and 1/3 has a default route 0.0.0.0 /0 with different metric value to their respective ISP's next hope.

Interface 1/2 attached to the HE security zone and Interface 1/3 attached to the Untrust zone.

Default route of Interface 1/2 metric value 11 and Interface 1/3 metric value 5.

 

but when interface 1/3 untrust zone reaches the internet with his own interface and interface 1/2 HE zone tries to reach internet it goes with untrust interface...

 

so I am looking for anything y to do that it can reach the internet with his own interface...

 

@Mohammed_Yasin,

So some things to keep in mind:

 

1) The firewall is routing your traffic as you've specified with your routes. ISP1 has the lowest metric and is always going to be selected unless you utilize path-monitoring on the route so the route can be removed from the RIB and FIB, which would make your secondary route take over. This is why you are seeing the traffic as you are, the traffic is going to utilize ISP1.

 

2) IF you are using PBF to attempt to route some of the traffic through ISP2, traffic has to ingress a firewall interface to be evaluated for PBF. Traffic sourced directly from the firewall isn't going to hit any PBF you have configured. So while a PBF for traffic routing will work for clients behind the firewall, it won't work for anything terminating on the firewall itself or sourced from the firewall itself. 

  • 1 accepted solution
  • 4084 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!