How To Achieve ISP Failover In SD-WAN Direct Internet Access
17547
Created On 06/21/21 01:56 AM - Last Modified 10/21/21 03:32 AM
Objective
In Direct Internet Access (DIA) setup the firewall pings the next hop IP address to determine if the internet path is UP or DOWN.
This is not an efficient method as there is a possibility that the ISP may be down but the next hop device is reachable. Due to this there wont be any failover in ISP paths in SD-WAN.
SaaS Application Path Monitoring is the feature which has been introduced in version 10.0.2 which will help to achieve this objective. Please refer SD-WAN Features
Environment
- PAN-OS SD-WAN
- PAN-OS 10.0
Procedure
- sdwan.901 interface is being used for internet communication. There are 2 interfaces bound to this SD-WAN interface. Please refer Configure SD-WAN for configuring SD-WAN setup.
2. Traffic distribution profile is configured so that ethernet1/2 is the Primary ISP and ethernet1/4 as the Secondary ISP.
3. Select Objects --> SD-WAN Link Management --> SaaS Quality Profile and configure an object. Any SaaS monitoring mode could be selected here.
If "Static IP Address" monitoring mode is selected then the firewall will ping to the IP address or FQDN mentioned in the configuration and checks
its latency, jitter and packet loss.
If "HTTP/HTTPS" monitoring mode is selected then the firewall will establish a HTTP or a HTTPS connection to the URL mentioned in the configuration.
4. Select Policies --> SD-WAN and configure a SD-WAN policy for the internet communication. In this policy use the "SaaS Quality Profile" which was configured
following the previous step.
Failover Test:
- When the monitoring is successful "show sdwan path-monitor stats" command shows state of the path as UP.
admin@Lab81-219-PA-VM> show sdwan path-monitor stats ***slot1 dp0:*** idx if-id vif state/reason State-chg-cnt latency jitter loss(%) Type Interface/Tunnel Profile ------------------------------------------------------------------------------------------------------------------------------------- 0 17 sdwan.901 UP/path_monitor 2 0 0 0 Native ethernet1/2 N/A 1 19 sdwan.901 UP/path_monitor 2 0 0 0 Native ethernet1/4 N/A 8 17 sdwan.901 UP/path_monitor 2 3 0 0 Active ethernet1/2 SaaS-Profile- Lab 9 19 sdwan.901 UP/path_monitor 2 3 0 0 Active ethernet1/4 SaaS-Profile- Lab
- Command "show sdwan event" shows the sessions using ethernet1/2 which is the primary ISP for the communication.
admin@Lab81-219-PA-VM> show sdwan event System time: 06/20 18:11:46 Path selection health format: latency/jitter/loss/adjusted-latency/total-loss Path monitor health format: latency/jitter/loss::real-time-latency/real-time-jitter/real-time-loss 06/20 18:11:46:[path selection] session 1352440 policy SD-WAN-Rule(Top-down) ethernet1/2(17) => ethernet1/2(17) profile 360/27/9 health 212/17/0/212/0 => 212/17/0/212/0 version 28 top-down-keep selection 06/20 18:11:45:[path selection] session 1352442 policy SD-WAN-Rule(Top-down) ethernet1/2(17) => ethernet1/2(17) profile 360/27/9 health 212/17/0/212/0 => 212/17/0/212/0 version 28 top-down-keep selection 06/20 18:11:44:[path selection] session 1352441 policy SD-WAN-Rule(Top-down) ethernet1/2(17) => ethernet1/2(17) profile 360/27/9 health 212/17/0/212/0 => 212/17/0/212/0 version 28 top-down-keep selection
- Firewall will ping to configured monitor IP from both the member interface of sdwan.901.
- If the Primary ISP fails then the communication to the monitored IP will fail from Primary ISP interface. Command "show sdwan path-monitor stats active ip" can be used to see state of path monitor. It will show the IP which is being monitored and the state of the probes.
admin@Lab81-219-PA-VM> show sdwan path-monitor stats active ip ---------------------------------------------------------------- ethernet1/2 idx: 8 DIA monitor:8.8.8.8 Probing: Enabled Probing-interval: 3s ---------------------------------------------------------------- Probe-req-send:2 State: down State-chg-cnt: 3 ----> State moved to down on ethernet1/2 Probe-reply-recv:0 packet loss : real-time crt-use version per 100 pkt: 2 0 0 latency jitter pkt_loss health_ver 9000ms average real time: 0 0 3 current use: 0 0 3 3 30000ms average real time: 0 0 10 current use: 0 0 10 0 75000ms average real time: 0 0 25 current use: 0 0 25 0 ---------------------------------------------------------------- ethernet1/4 idx: 9 DIA monitor:8.8.8.8 Probing: Enabled Probing-interval: 3s ---------------------------------------------------------------- Probe-req-send:77 State: up State-chg-cnt: 2 ----> State is UP in ethernet1/4 Probe-reply-recv:77 packet loss : real-time crt-use version per 100 pkt: 0 0 0 latency jitter pkt_loss health_ver 9000ms average real time: 3 0 0 current use: 0 0 0 2 30000ms average real time: 3 0 0 current use: 0 0 0 0 75000ms average real time: 3 0 0 current use: 0 0 0 0
- Executing the command "show sdwan path-monitor stats" will show that the "State" as DOWN for one of the path of the SDWAN.901 interface.
admin@Lab81-219-PA-VM> show sdwan path-monitor stats ***slot1 dp0:*** idx if-id vif state/reason State-chg-cnt latency jitter loss(%) Type Interface/Tunnel Profile ------------------------------------------------------------------------------------------------------------------------------------- 0 17 sdwan.901 UP/path_monitor 2 0 0 0 Native ethernet1/2 N/A 1 19 sdwan.901 UP/path_monitor 2 0 0 0 Native ethernet1/4 N/A 8 17 sdwan.901 DOWN/path_monitor 3 0 0 2 Active ethernet1/2 SaaS-Profile- Lab 9 19 sdwan.901 UP/path_monitor 2 3 0 0 Active ethernet1/4 SaaS-Profile- Lab
- Executing the command "show sdwan event" will show that the sessions are taking the interface ethernet1/4 for the communication
admin@Lab81-219-PA-VM> show sdwan event System time: 06/20 18:14:59 Path selection health format: latency/jitter/loss/adjusted-latency/total-loss Path monitor health format: latency/jitter/loss::real-time-latency/real-time-jitter/real-time-loss 06/20 18:14:59:[path selection] session 1353010 policy SD-WAN-Rule(Top-down) ethernet1/4(19) => ethernet1/4(19) profile 360/27/9 health 212/17/0/212/0 => 212/17/0/212/0 version 28 top-down-keep selection 06/20 18:14:58:[path selection] session 1353008 policy SD-WAN-Rule(Top-down) ethernet1/4(19) => ethernet1/4(19) profile 360/27/9 health 212/17/0/212/0 => 212/17/0/212/0 version 28 top-down-keep selection 06/20 18:14:57:[path selection] session 1353009 policy SD-WAN-Rule(Top-down) ethernet1/4(19) => ethernet1/4(19) profile 360/27/9 health 212/17/0/212/0 => 212/17/0/212/0 version 28 top-down-keep selection
Additional Information
There is an option to choose HTTP/HTTPS as "Saas Monitoring Mode". If a HTTP site used then the firewall will establish a HTTP communication towards the URL which is configured. As an example URL "http://example.com" being used in the configuration.
Now the firewall will establish s a HTTP connection to the URL and update the latency, jitter and packet loss. Below captures shows the firewall sending a GET request for the URL mentioned.
If a HTTPS URL is used then the firewall will establish a HTTPS connection to the URL. Below sample capture shows communication to "https://www.paloaltonetworks.com"