02-09-2020 04:24 AM
hello,
i have a setup like the image below.
my goal is to allow internet throught interfaces 3 and 4 (i have a virtual router with these 2 interfaces, vr_l3) : this is working
i have an IPSEC tunnel on interface 1 (with another virtual router, vr1) to route 172.22.0.0/20 : this is working
i have a dhcp server on interface 3
if i put a route directly on the workstation, this is working (route add 172.22.0.0 mask 255.255.240.0 172.22.54.245)
next i would like to have the firewall doing this
1/ first i tried to make a static route in vr_l3 to 172.22.54.245
strangely, i have ping which is working but web-browsing is not
2/ secondly, i tried to route to the next vr, vr1
but i have nothing working
3/ third, i try to put a static route in dhcp server
option 249, 14AC16AC1636F5
but this is working on a PA220 and not on a PA200 7.0.19 : i can't obtain an ip address when option 249 is set
i don't think it's a policy problem because i currently have a any-any rule to allow traffic
02-09-2020 06:25 AM
yes, this command :
set deviceconfig setting tcp asymmetric-path bypass
did the trick
but what will be the aftermath ?
02-09-2020 05:15 AM
If ping is working, but everything else doesn't, then it's very likely that you have asynchronous routing. Ping request is sent via the firewall, but the reply is taking a different path (bypassing the firewall).
02-09-2020 06:25 AM
yes, this command :
set deviceconfig setting tcp asymmetric-path bypass
did the trick
but what will be the aftermath ?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
