03-17-2023 01:21 AM - edited 03-20-2023 07:10 AM
Hello,
We are in the progress of migration an existing service connection on an Active/Active firewall to a remote network connection.
The active/active firewall doesn't have VR-SYNC enabled so they act as seperate routing instances, and the subnets attached use a mixture of ARP-loadsharing and FLOATING IP's. (sometimes active on Pri, sometimes active on Secondary). Currently we have service connection to MX-Central and US-Central.
Last time we tried to migrate we setup 2 remote network connections in different locations MX-Central and US-Central. However we noticed that some traffic was dropped due to assymatric routing on the prisma cloud remote networks. (this doesn't happen for service connections because of router-id)
Can I solve this with creating 2 remote network connections in the same compute location?
03-22-2023 02:41 AM
Have you tried enabling "asymetric-routing-only. to allow Prisma Access to use asymmetric flows across the service connection backbone" https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prepare-the-pris... ?
Outside of that you can try adding a zone protection profile to the zones for Prisma Access https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSHCA0 / https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClG2CAK but I have not tested that one and I im interested if you tested your suggestion.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
