Static route path monitoring doesn't recover

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Static route path monitoring doesn't recover

L0 Member

Configured the path monitor on my primary ISP route per this guide,

 

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/static-routes/static-route-remo...

 

It worked great when I unplug the cable from the primary ISP CPE. The default route went to the back up ISP. Problem is the primary default route doesn't recover  when I put the cable back. I waited till the monitor claim the status is up. But the primary default route  is shown inactive (missing A flag).

 

BTW: the backup ISP is DHCP with automatically add default route enabled.

6 REPLIES 6

Community Team Member

Hi @Dennis-Wu ,

 

Did you enable preemtion ?

 

By default, preemption is disabled on the firewalls and must be enabled on both firewalls. When enabled, the preemptive behavior allows the firewall with the higher priority to resume as active or active-primary after it recovers from a failure.

 

device-priority-and-preemption

 

Cheers !

-Kiwi.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Cyber Elite
Cyber Elite

@Dennis-Wu,

When the monitor claims the status is up is when the preemptive hold timer actually starts counting down to verify the path is stable. By default, this is set to 2 minutes. Did you allow enough time for the preemptive hold timer to pass so the link should have actually become active?

Also important, did you weight the route metrics? 

@BPry appreciate your hint. I did wait till the preemptive time finished. And the metric is correct as in the begining before I unplug the primary ISP cable the default route was pointing to the primary ISP correctly.

 

Update: Found it actually interference with the DHCP type of ISP. I have to disable the "automaticlly create default route" on the interface and use a static route with next hop to the ISP GW. It is not a 100% solution as the ISP GW could change. But I can live with it for now

Hi @BPry ,

Do you know by any chance if there´s a way to monitor via CLI the count down of the preemptive hold timer? I just started supporting a deployment where the prior integrator configured 60 minutes of preemption, so at least I would like to know if the timer is actually counting down or not.

Thanks in advance!

Cyber Elite
Cyber Elite

Hello,

For this scenario, I usually utilize Policy Based Forwarding. Pretty much the same thing, however PBF happens before the virtual routers data so its always first.

 

Just a thought.

L0 Member

I am having the same issue. Even when I attempt to perform the same ping ingress and egress from both firewalls the pings are successful. Both sides are Palo Alto's in my case. 

  • 7878 Views
  • 6 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!