Help understand why PA-3020 ISP failover didn't work?
I'm looking to get on figuring out how/why our Palo Alto (PA-3020) didn't fail over from ISP to another ISP modem when the first ISP had an outage?
Internet was basically just out until the ISP that failed came back online.
Is anyone familiar with a PA-3020 as it was setup to allegedly have ISP fail over.
I can see configured ports on the interface where ISP 1 modem is connected,, and ISP 2 modem is connected.
Are there known logs I can check to see what (if anything) occurred during the known hours ISP1 went out?
I honestly don't even know where failover is configured (I think I do based on documentation but I still have my doubts)
Internet was basically just out until the ISP that failed came back online.
Is anyone familiar with a PA-3020 as it was setup to allegedly have ISP fail over.
I can see configured ports on the interface where ISP 1 modem is connected,, and ISP 2 modem is connected.
Are there known logs I can check to see what (if anything) occurred during the known hours ISP1 went out?
I honestly don't even know where failover is configured (I think I do based on documentation but I still have my doubts)
My PA failover uses BGP and we are advertising our own public AS through multiple ISP. I have no idea what you're doing. I would talk to whoever setup your system, or Palo Alto TAC. There are way too many ways you can possibly have it setup, and too many things that can be wrong to troubleshoot over a forum.
You might find this page useful
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFiCAK
I would guess that failover happened because failover was not configured or appropriately configured, but without a copy of the config only guesses can be made.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFiCAK
I would guess that failover happened because failover was not configured or appropriately configured, but without a copy of the config only guesses can be made.
ASKER
Well for one I see there are no policy based forwarding rules, at all, which I’m assuming have to be in place.
As far as the ISPs and modem, basically ISP1 simply goes into 1 single port on one of the PA’s (1/1). ISP2 goes into 1/3 — same PA.
Besides that I’ve observed two virtua routers with the interfaces attached which appear to be setup right with correct zones.
I think it’s just this policy based forwarding part I think is the missing piece. Thanks for the article that will help.
As far as the ISPs and modem, basically ISP1 simply goes into 1 single port on one of the PA’s (1/1). ISP2 goes into 1/3 — same PA.
Besides that I’ve observed two virtua routers with the interfaces attached which appear to be setup right with correct zones.
I think it’s just this policy based forwarding part I think is the missing piece. Thanks for the article that will help.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
1) How is down detection done:
a) drop of interface energy (eg. outside connection looses power, carrier loss)
b) drop of connection (like PPPoE dropping)
c) lack of ping response to a known outside connection?
d) Other?
2) What actions can you trigger on the PA to respond to loss active of connection
a) switch of (default and other) routes
b) take failing routes out of service
c) setup new Tunnels to some provider
If failover happens there might still be problems...
- your source address changes
- all active session might be lost....
This can be mitigated by having a public address range, AS-number and some BGP advertisement.
or building a tunnel to some outside service that can provide a stable IP address even if you switch connection.