GlobalProtect Client Issues with Multiple ISPs

GlobalProtect Client Issues with Multiple ISPs

18243
Created On 09/25/18 20:34 PM - Last Updated 08/05/19 20:36 PM


Resolution

Issue

GlobalProtect clients connect via one ISP, but traffic going back to the internet is routed via the other ISP.

 

Resolution

Topology

Firewall has two ISPs (Primary and Secondary). ISP A is connected on Ethernet 1/1 whereas ISB B is connected on Ethernet 1/2. The GlobalProtect Client is configured to connect on the Primary interface, Ethernet 1/1.

7-12-2012 9-44-01 AM.png

 

Details

The VPN client's IP address is from the primary ISP. The answer to this question is that when the packet arrives at the tunnel, the source NAT is done based on the NAT policy configured for the Primary ISP but the management plane will route the traffic through the VR static route (which is Ethernet 1/2, using its IP address), and it will use the Ethernet 1/1 public IP as a source IP. When the server on the internet receives the packet it will receive packet sourced from an IP address of Ethernet 1/1 and it will route packets accordingly, i.e. destined to Ethernet 1/1.

 

Resolution

 

Configure two virtual routers like this:

  • VR1: Ethernet 1/1 (Primary ISP), tunnel.x (SSLVPN Zone)

7-12-2012 10-02-00 AM.png

  • VR2: Ethernet 1/2 (Secondary ISP), Ethernet 1/3 (Trust Zone)

7-12-2012 10-02-37 AM.png

  • Here is how the interfaces should look:

7-12-2012 10-03-25 AM.png

7-12-2012 10-04-36 AM.png

  • Create a Policy Based Forwarding (PBF) route for VR2 to route the Trust Zone traffic to go through VR1 and have a default/Backup route to go through Ethernet 1/2, as shown below:

7-12-2012 10-05-26 AM.png

7-12-2012 10-06-37 AM.png

  • VR1 will have a default route to go to the internet through Ethernet 1/1. GlobalProtect/SSL clients connect to the VR1 on tunnel.x, then the traffic is routed according to the default route configured on the VR1.

Note: Make sure to have a different zone for the tunnel interfaces so that they do not mix with the Trust zone on VR2.

  • Add the security and NAT policies accordingly. The SSLVPN client traffic goes to the internet using the Primary ISP.

 

owner: kalavi



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cli1CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language