I’ve got problem with policy based forwarding. I have 2 ISP - traffic to the 1st ISP is forwarded by pbf, to the 2nd – via default route. PBF rule monitors the remote target’s IP and availability of nexthop address. My question is: how the pbf is checking availability of the nexthop address. I have sniffer open on nexthop address host but I can’t find any specific traffic.
In the system log I’ve got many entries like this: “Vsys 1 PBF rule pbf nexthop is DOWN”. How can I debug this ?
While the pbf status is DOWN I can ping nexthop address from adjacent interface of Palo Alto.
I have the same problem. I have a deny all at the bottom of the security rule but Untrust to Untrust. The PBF next hop says it's down and the rule disables the route but the next hop is up. I am on 5.0.1 and this still occurs frequently, every few hours. DOES ANYONE KNOW HOW PBF CHECKS THE NEXT HOP AND WHY IT SAYS DOWN WHEN IT"S UP??
Can anyone from PAN comment this has been recurring for a few days. I have opened tickets but we and haven't got to a root cause. How does the Egress monitor the next hop as up? Would a static ARP help? There is no pings in packet capture, how does it know this is up or down? It's up but shows down. Does it not come back up after it goes down?
Hi All; Finally figured out what it is. So the PBF rule does monitor from the Egress interface configured in the Rule. It will come back up if the next hop is up. The monitor uses PING. My problem was that I was trying to fully mesh active-passive firewalls and connected hubs to both uplinks to from the firewalls to a single uplink for the ISP that was having the problem. When I directly connect the ISP directly to the PAN device the pings stay normal. Time to replace some hubs.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!