Problem with two ISPs and two SSL-VPN poprtals

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Problem with two ISPs and two SSL-VPN poprtals

L1 Bithead

Hello

We have PA500. It is connected to two ISPs. The requirement of moving specific traffic from LAN to one ISP, and the other taffic from LAN to the second one is easy, using policy based forwarding. But I have problem with two separate SSL-VPN potral connections. As there are two ISPs, I configured two default routings (0.0.0.0/0), to one ISP with lower metric, and to second - with higher one. I confgured two loopback interfaces, on which the SSL-VPNs are accessible from the WAN. (those two loopbacks are of private addrsses, and are destination NATed to public ones). Loopbacks are in VPN zone, while their NATed addresses are: one in ISP1 zone, second in ISP2 zone. Additionally I configured policy based routing, that if source zone is VPN, and source addrsss is loopback1, so the default routing is the adderss of ISP1, and second rule, tha if the source zone is VPN, and source address is loopback2, so the default routing is to ISP2.

But unfortunately, traffic from both SSL-VPN portals is pushed to  the default gateway of higher priority (ISP1). So If there is a problem with link to the ISP1 (that not affects the interface of PA500 to be down) there is no possible to set SSL-VPN connection through any of the two portals (as the second portal tied to the ISP2 tries to answer through ISP1s gateway). The only disconnection of the cable from the PA500 causes the system to work properly (if both ISPs are accessible, there is connection to both SSL-VPN) portals.

Does in mean, that loopback interfaces could not work with policy based forwarding, and only works with standard destination routes defined in router ?

Regards

Piotr

1 accepted solution

Accepted Solutions

L1 Bithead

Ok, I resolve this problem by setting another virual router, only for SSL-VPN traffic from second ISP.

View solution in original post

2 REPLIES 2

L1 Bithead

Ok, I resolve this problem by setting another virual router, only for SSL-VPN traffic from second ISP.

L0 Member

Confirmed.  I had the same problem this week.  Packet debug shows that PBR is not properly working for loopback interfaces.  This needs to be fixed in PANOS.

  • 1 accepted solution
  • 2255 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!