Inter-VR and Inter-LR on PAN-OS With ECMP
4634
Created On 03/07/24 20:47 PM - Last Modified 08/07/24 19:06 PM
Symptom
LR A is learning equal-cost prefixes from LRs B and C respectively. LR A installs the prefix/es on its RIB table; but the same prefix/es never gets installed in its FIB:
admin@NGFW> show advanced-routing route | match 0.0.0.0 Logical Router: LR A ========================== flags: A:active, E:ecmp, Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext 1, O2:ospf ext 2 destination protocol nexthop distance metric flag tag age interface 0.0.0.0/0 bgp 10.99.0.2 20 0 A E 00:20:49 0.0.0.0/0 bgp lr LR B 20 0 A E 00:20:49 0.0.0.0/0 bgp 10.99.0.3 20 0 A E 00:20:49 0.0.0.0/0 bgp lr LR C 20 0 A E 00:20:49
admin@NGFW> show advanced-routing fib | match 0.0.0.0 logical-router name: LR A interfaces: ethernet1/3 loopback.99 id destination nexthop flags interface mtu --------------------------------------------------------------------------------
Environment
- NGFW Hardware/VM-Series
- Advanced Routing Engine
- PAN-OS 10.2 and later
- Inter-VR Routing
Cause
Equal-Cost Multi-Path routing is currently not supported with Advanced Routing Engine across Logical Routers.
Resolution
Disable ECMP on the applicable Logical Router (LR.) If this not an option, advertise the interesting prefix/es with different costs (metric, weight, etc.,) such that no 2 (or more) network layer reachability information learned from other LRs have an equal cost since this will result in failure to install the applicable prefix/es into the FIB table.
Additional Information
This principle also applies to inter-VR routing. A similar issue observed on a Logical Router with equal-cost routes via external links (rather than between LRs) has been addressed in PAN-OS 10.2.8, 11.0.4, 11.1.0 and later. However, ECMP (for statically or dynamically learned routes) is currently not supported between virtual routers or between logical routers in Legacy Routing and Advanced Routing Engine respectively.