Secondary Default Route Removal When Primary Path Monitor Fails in Advanced Routing

• Upon failure of the primary default route path monitor, the secondary default route is also deleted from the routing table.
• The secondary route does not get installed in the FIB.

When the Primary Path monitor was up :

admin@PA-3250> show advanced-routing static-route-path-monitor
LOGICAL ROUTER: default (id 1)
  ==========
destination                                 nexthop                                 metric interface     pathmonitor   status
0.0.0.0/0                                   1.1.1.1                                 2      ethernet1/1   Enabled(All)  Up
|--> monitored-IP                                interval/count  state
     2.2.2.1                                            3/5      Success


admin@PA-3250> show advanced-routing route logical-router default
Logical Router: default
==========================
flags: A:active, E:ecmp, Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext 1, O2:ospf ext 2

destination                             protocol       nexthop                                 distance  metric    flag      tag       age         interface
0.0.0.0/0                               static         2.2.2.1                                 11        6         A                   00:02:23    ethernet1/2
0.0.0.0/0                               static         1.1.1.1                                 10        2         A                   00:02:23    ethernet1/1

When the Primary Path monitor was down :

admin@PA-3250> show advanced-routing static-route-path-monitor
LOGICAL ROUTER: default (id 1)
  ==========
destination                                 nexthop                                 metric interface     pathmonitor   status
0.0.0.0/0                                   1.1.1.1                                 2      ethernet1/1   Enabled(All)  Down
|--> monitored-IP                                interval/count  state
     2.2.2.1                                            3/5      Failed


admin@PA-3250> show advanced-routing route logical-router default
Logical Router: default
==========================
flags: A:active, E:ecmp, Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext 1, O2:ospf ext 2

destination                             protocol       nexthop                                 distance  metric    flag      tag       age         interface

total route shown:

• PANW firewall with Advanced Routing enabled.
• Path Monitoring configured.
• PAN-OS versions 8.0 and above

• Software Issue.
• Multiple issues in path monitoring logic within the Advanced Routing stack affected the handling of route deletions and installations.

1. Several path monitoring issues have been implemented in PAN-OS 11.1.3 and 10.2.17 to address this and other issues.
2. Here are the list of fixes were introduced to resolve the problem:
   • PAN-220553: Fixed an issue where, after enabling Advanced Routing Engine, the backup default route was not installed in the FIB table if static path monitoring went down.
   • PAN-239012: Improvements in route installation and deletion logic.
   • PAN-238285: Ensuring proper order of commits.
   • PAN-246945: Fixed an issue where a static route was removed from the route table when path monitoring was enabled.
3. Upgrading of the PAN-OS to version 11.1.3 or 10.2.17 will resolve the issue.

The following Workaround can be tried, but may not work in some corner cases.

1. Remove the entire static route configuration, commit the change, then reconfigure the static route with path monitoring and commit in the same step.
2. Do a "commit force" instead of "commit" when enabling path-monitor on an already present static route.
3. Restart the routed process using the following commands:

> debug software restart process routed
> debug routed restart