Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
How To Achieve ISP Failover In SD-WAN Direct Internet Access - Knowledge Base - Palo Alto Networks

How To Achieve ISP Failover In SD-WAN Direct Internet Access

17547
Created On 06/21/21 01:56 AM - Last Modified 10/21/21 03:32 AM


Objective


In Direct Internet Access (DIA) setup the firewall pings the next hop IP address to determine if the internet path is UP or DOWN.
This is not an efficient method as there is a possibility that the ISP may be down but the next hop device is reachable. Due to this there wont be any failover in ISP paths in SD-WAN.
SaaS Application Path Monitoring is the feature which has been introduced in version 10.0.2 which will help to achieve this objective. Please refer SD-WAN Features 

 


Environment


  • PAN-OS SD-WAN
  • PAN-OS 10.0


Procedure


  1. sdwan.901 interface is being used for internet communication. There are 2 interfaces bound to this SD-WAN interface. Please refer Configure SD-WAN for configuring SD-WAN setup.

          User-added image

       2. Traffic distribution profile is configured so that ethernet1/2 is the Primary ISP and ethernet1/4 as the Secondary ISP. 

          User-added image

       3. Select Objects --> SD-WAN Link Management --> SaaS Quality Profile and configure an object. Any SaaS monitoring mode could be selected here.
           If "Static IP Address" monitoring mode is selected then the firewall will ping to the IP address or FQDN mentioned in the configuration and checks
           its latency, jitter and packet loss.
           If "HTTP/HTTPS" monitoring mode is selected then the firewall will establish a HTTP or a HTTPS connection to the URL mentioned in the configuration.

          User-added image 

       4. Select Policies --> SD-WAN and configure a SD-WAN policy for the internet communication. In this policy use the "SaaS Quality Profile" which was configured
           following the previous step.

          User-added image

          User-added image



Failover Test:
  • When the monitoring is successful "show sdwan path-monitor stats" command shows state of the path as UP.
admin@Lab81-219-PA-VM> show sdwan path-monitor stats

***slot1 dp0:***
 idx    if-id  vif         state/reason       State-chg-cnt latency jitter loss(%) Type    Interface/Tunnel                 Profile
-------------------------------------------------------------------------------------------------------------------------------------
 0      17     sdwan.901   UP/path_monitor    2             0       0      0       Native  ethernet1/2                      N/A
 1      19     sdwan.901   UP/path_monitor    2             0       0      0       Native  ethernet1/4                      N/A
 8      17     sdwan.901   UP/path_monitor    2             3       0      0       Active  ethernet1/2                      SaaS-Profile- Lab  
 9      19     sdwan.901   UP/path_monitor    2             3       0      0       Active  ethernet1/4                      SaaS-Profile- Lab
  • Command "show sdwan event" shows the sessions using ethernet1/2 which is the primary ISP for the communication.
admin@Lab81-219-PA-VM> show sdwan event

System time: 06/20 18:11:46
Path selection health format: latency/jitter/loss/adjusted-latency/total-loss
Path monitor health format: latency/jitter/loss::real-time-latency/real-time-jitter/real-time-loss

06/20 18:11:46:[path selection] session 1352440 policy SD-WAN-Rule(Top-down) ethernet1/2(17) => ethernet1/2(17) profile 360/27/9 health 212/17/0/212/0 => 212/17/0/212/0 version 28 top-down-keep selection
06/20 18:11:45:[path selection] session 1352442 policy SD-WAN-Rule(Top-down) ethernet1/2(17) => ethernet1/2(17) profile 360/27/9 health 212/17/0/212/0 => 212/17/0/212/0 version 28 top-down-keep selection
06/20 18:11:44:[path selection] session 1352441 policy SD-WAN-Rule(Top-down) ethernet1/2(17) => ethernet1/2(17) profile 360/27/9 health 212/17/0/212/0 => 212/17/0/212/0 version 28 top-down-keep selection
  • Firewall will ping to configured monitor IP from both the member interface of sdwan.901.
  • If the Primary ISP fails then the communication to the monitored IP will fail from Primary ISP interface. Command "show sdwan path-monitor stats active ip" can be used to see state of path monitor. It will show the IP which is being monitored and the state of the probes.
 admin@Lab81-219-PA-VM> show sdwan path-monitor stats active ip

----------------------------------------------------------------
ethernet1/2 idx: 8 DIA monitor:8.8.8.8
Probing: Enabled  Probing-interval: 3s
----------------------------------------------------------------
  Probe-req-send:2 State: down  State-chg-cnt: 3     ----> State moved to down on ethernet1/2
Probe-reply-recv:0

         packet loss :  real-time  crt-use   version
          per 100 pkt:  2          0         0


                       latency   jitter    pkt_loss  health_ver
         9000ms average
            real time: 0         0         3
          current use: 0         0         3         3

         30000ms average
            real time: 0         0         10
          current use: 0         0         10        0

         75000ms average
            real time: 0         0         25
          current use: 0         0         25        0

----------------------------------------------------------------
ethernet1/4 idx: 9 DIA monitor:8.8.8.8
Probing: Enabled  Probing-interval: 3s
----------------------------------------------------------------
  Probe-req-send:77 State: up  State-chg-cnt: 2   ----> State is UP in ethernet1/4
Probe-reply-recv:77

         packet loss :  real-time  crt-use   version
          per 100 pkt:  0          0         0


                       latency   jitter    pkt_loss  health_ver
         9000ms average
            real time: 3         0         0
          current use: 0         0         0         2

         30000ms average
            real time: 3         0         0
          current use: 0         0         0         0

         75000ms average
            real time: 3         0         0
          current use: 0         0         0         0
  • Executing the command "show sdwan path-monitor stats" will show that the "State" as DOWN for one of the path of the SDWAN.901 interface.
admin@Lab81-219-PA-VM> show sdwan path-monitor stats

***slot1 dp0:***
 idx    if-id  vif         state/reason       State-chg-cnt latency jitter loss(%) Type    Interface/Tunnel                 Profile
-------------------------------------------------------------------------------------------------------------------------------------
 0      17     sdwan.901   UP/path_monitor    2             0       0      0       Native  ethernet1/2                      N/A
 1      19     sdwan.901   UP/path_monitor    2             0       0      0       Native  ethernet1/4                      N/A
 8      17     sdwan.901   DOWN/path_monitor  3             0       0      2       Active  ethernet1/2                      SaaS-Profile- Lab
 9      19     sdwan.901   UP/path_monitor    2             3       0      0       Active  ethernet1/4                      SaaS-Profile- Lab
  • Executing the command "show sdwan event" will show that the sessions are taking the interface ethernet1/4 for the communication 
admin@Lab81-219-PA-VM> show sdwan event

System time: 06/20 18:14:59
Path selection health format: latency/jitter/loss/adjusted-latency/total-loss
Path monitor health format: latency/jitter/loss::real-time-latency/real-time-jitter/real-time-loss

06/20 18:14:59:[path selection] session 1353010 policy SD-WAN-Rule(Top-down) ethernet1/4(19) => ethernet1/4(19) profile 360/27/9 health 212/17/0/212/0 => 212/17/0/212/0 version 28 top-down-keep selection
06/20 18:14:58:[path selection] session 1353008 policy SD-WAN-Rule(Top-down) ethernet1/4(19) => ethernet1/4(19) profile 360/27/9 health 212/17/0/212/0 => 212/17/0/212/0 version 28 top-down-keep selection
06/20 18:14:57:[path selection] session 1353009 policy SD-WAN-Rule(Top-down) ethernet1/4(19) => ethernet1/4(19) profile 360/27/9 health 212/17/0/212/0 => 212/17/0/212/0 version 28 top-down-keep selection


Additional Information



There is an option to choose HTTP/HTTPS as "Saas Monitoring Mode". If a HTTP site used then the firewall will establish a HTTP communication towards the URL which is configured. As an example URL "http://example.com" being used in the configuration.
User-added image
Now the firewall will establish s a HTTP connection to the URL and update the latency, jitter and packet loss. Below captures shows the firewall sending a GET request for the URL mentioned.

User-added image

If a HTTPS URL is used then the firewall will establish a HTTPS connection to the URL. Below sample capture shows communication to "https://www.paloaltonetworks.com"

User-added image
 


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001Vh7CAE&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail