PBF Monitor Not Working Over SD-WAN

PBF Monitor Not Working Over SD-WAN

12572
Created On 09/23/20 22:09 PM - Last Modified 01/12/21 04:38 AM


Symptom


  • A PBF rule is configured over SD-WAN with monitor. For example in the policy depicted below eth1/6 is a member of the SD-WAN connection. If monitor IP 8.8.8.8 is not reachable over the SD-WAN, the rule should be disabled.
GUI: Policies -->  Policy Based Forwarding - Name
PBF rule
  • When SD-WAN fails, the PBF rule still remains active which prevents traffic failover to backup link

Environment


  • All versions of PAN-OS
  • Any Palo Alto Firewall.
  • Policy-Based Forwarding is configured.
  • Dual-homed environments.

Cause


The reason for this is because no keepalive messages are being sent or received for the monitor IP:

  
rmcrae@s07fw> show pbf rule name PBF_DSL-Loadbalance

Rule: PBF_DSL-Loadbalance(12)
Rule State: Active
Action: Forward
Symmetric Return: No
Egress IF/VSYS: sdwan.1
NextHopType: IP
NextHop: 63.231.10.70
Monitor Slot: 0
Monitor IP: 8.8.8.8
NextHop Status: UP
Monitor: Action:Fail-Over, Interval:4, Threshold:6
Stats: KA sent:0, KA got:0, Packet Matched:42970054  <<===

For the monitor to work, a valid source IP is required to reach the monitor destination. However, SD-WAN does not have an IP address associated with it hence, the keepalives are never generated.

Resolution


PBF monitor is not supported over SD-WAN.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HAqXCAW&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language