Abjain, thanks for the quick reply. What you've described makes perfect sense. I will give it a shot over the weekend and hopefully, it'll work. (will come back and give an update either way).
... View more
hi, I know PA doesn't have IP SLA and i've read documents that talks about using VR and PBF to handle dual ISPs. this works with an ASA but not sure how to do it with PA. But there's a slight difference on my implementation and it seems to fail with a lot of SSL sites: I have two links at each site. First Link, ISP <----> Palo alto (10.1.1.1) <----> L3 Switch (10.1.1.3) Second Link, MPLS <----> Cisco Router (10.1.1.2) <---> L3 Switch (10.1.1.3) Basically, I have a layer 3 switch that connects both PA and Cisco Router to the same LAN (10.1.1.0). 1) All Devices talk to each other via OSPF 2) PA Firewall has a static default route with metric 5 to ISP 3) Cisco Router has a static default route with metric 10 to MPLS Cloud (where there is another internet breakout) 4) PA Firewall and Cisco router redistribute default route into OSPF. 5) Layer 3 sees PA firewall with better metric and sends to PA firewall when PA Firewall is up. The idea is if I can't reach 18.104.22.168 on PA, it will tell me to send it out via the MPLS. This is accomplished in the past with IP SLA on the static route on the ASA, where the static route is removed and L3 stops forwarding traffic to the ASA. PA recommends using PBR to "monitor" IPs. The challenge I have is that when PA receives traffic, and forwards traffic out of the same interface (back to MPLS) , SSL traffic seem to stall. Example when ISP is down: 1) User sends to L3 switch. 2) L3 switch sends packets to PA's ingress e1/1 3) PA determines ISP is down, and sends packet back out the same interface (e1/1) to Cisco router on the same LAN. This seems to work for non-SSL. but fails with secure traffic to Google, facebook, etc... it just hangs Any thoughts?
... View more