This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

AWS VM Series Gateway Load Balancers not working

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

AWS VM Series Gateway Load Balancers not working

craig.beamish
L1 Bithead

‎12-10-2020 09:23 PM

Hi All

Has anyone else had a play with the GWLB on AWS?
I know it must be PAN-OS 10.0.2 or higher to work,
I have tested with multiple instances, 
As a bump in the wire it works fine. until you apply NAT, then it doesn't work at all for any traffic that is NAT'd. 
I have an open TAC for this, they are replicating the fault to work it out but surely this was all tested before it went public.

I also found overlay routing breaks traffic flow. its not documented anywhere that I could find but what I found was it processes the GENEVE traffic in the virtual router where without it, is just an in-return non routed flow. 

 

If you've tinkered with it and actually got inbound/outbound NAT and/or overlay routing to function, please let me know what you did. 

sadly the documentation just doesnt provide any decent clarity for this feature.

Also extremely disappointed they havent integrated this into version 9.1.
I am hopeful they will add it with 9.1.7 in a functional state as I am not planning to move my clients to 10.0 until the list of known issues is about 1/4 its current size.

 

20 REPLIES 20

rapatil
L3 Networker

‎12-10-2020 11:27 PM

Hi Craig,

Thanks for your feedback. 

How are you deploying the GWLB with VM-Series? Are you using any of the templates provided on our Github repo? 

https://github.com/PaloAltoNetworks/AWS-GWLB-VMSeries

If you are using a CFT with an autoscale template, then it will create a NAT GW along with other components. The template also takes care of the automatic route population for any new APP VPCs. 

 

Thanks,

Raj

 

0 Likes Likes

jmeurer
L4 Transporter

‎12-11-2020 04:57 AM

As of this time, break out routing is not supported.  The traffic must stay in the Geneve tunnel.  In reading this, it appears you are addressing the outbound use case.  In that traffic flow, the NatGW must be used as the next hop beyond the GWLBe as depicted in this flow.  

 

jmeurer_1-1607691268668.png

jmeurer_2-1607691284478.png

 

0 Likes Likes

craig.beamish
L1 Bithead
In response to jmeurer

‎12-16-2020 08:18 PM

We are using a nat gateway. outbound works just fine until you apply NAT of any sort. just trying to apply any sort of NAT to change the direction of the traffic breaks it. 

so if i put a nat rule that traffic to 1.1.1.1 gets d-nat to  8.8.8.8, the traffic never exits the firewall.
key use for this was for inbound traffic, redirecting inbound traffic to the correct ALB  that lives in another vpc, the traffic seems to get dropped at the firewall, even though pcaps show it *thinks* it is being forwarded on, its not.

0 Likes Likes

jmeurer
L4 Transporter
In response to craig.beamish

‎12-17-2020 09:52 AM

Inbound requires ingress routing to use the GWLB without SNAT.  You can do that within the application vpc using a public-facing LB in front of the application.

jmeurer_0-1608227286234.png

Or if you want to have a dedicated inbound VPC, you use the same design as above but move your pool members across the TGW.

jmeurer_1-1608227341113.png

If you prefer the traditional Load Balancer sandwich design where the firewalls are pool members of the front door LB and you are going to SNAT/DNAT to the application, you would either use a dedicated set of firewalls or add new Untrust and Trust interfaces to the firewall as ETH3/4 and use those for ingress outside of the GWLB.  This is necessary as the GWLB traffic must hairpin inside of the Geneve tunnel, you cannot insert flows into the tunnel from another interface.  

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks