- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
11-23-2010 11:06 AM
Hello
We have PA500. It is connected to two ISPs. The requirement of moving specific traffic from LAN to one ISP, and the other taffic from LAN to the second one is easy, using policy based forwarding. But I have problem with two separate SSL-VPN potral connections. As there are two ISPs, I configured two default routings (0.0.0.0/0), to one ISP with lower metric, and to second - with higher one. I confgured two loopback interfaces, on which the SSL-VPNs are accessible from the WAN. (those two loopbacks are of private addrsses, and are destination NATed to public ones). Loopbacks are in VPN zone, while their NATed addresses are: one in ISP1 zone, second in ISP2 zone. Additionally I configured policy based routing, that if source zone is VPN, and source addrsss is loopback1, so the default routing is the adderss of ISP1, and second rule, tha if the source zone is VPN, and source address is loopback2, so the default routing is to ISP2.
But unfortunately, traffic from both SSL-VPN portals is pushed to the default gateway of higher priority (ISP1). So If there is a problem with link to the ISP1 (that not affects the interface of PA500 to be down) there is no possible to set SSL-VPN connection through any of the two portals (as the second portal tied to the ISP2 tries to answer through ISP1s gateway). The only disconnection of the cable from the PA500 causes the system to work properly (if both ISPs are accessible, there is connection to both SSL-VPN) portals.
Does in mean, that loopback interfaces could not work with policy based forwarding, and only works with standard destination routes defined in router ?
Regards
Piotr
11-25-2010 01:33 PM
Ok, I resolve this problem by setting another virual router, only for SSL-VPN traffic from second ISP.
11-25-2010 01:33 PM
Ok, I resolve this problem by setting another virual router, only for SSL-VPN traffic from second ISP.
02-16-2011 09:22 PM
Confirmed. I had the same problem this week. Packet debug shows that PBR is not properly working for loopback interfaces. This needs to be fixed in PANOS.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!