Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Exonix
Contributor

traffic doesn't go to the right interface

Hello all,

we have GW R81.10 and some PBR. We've just found that from time to time some traffic doesn't go to the right interface - GRE for Zscaler. The strange thing is that sometimes traffic goes where it should. This is a good traffic:

gre1.png

this is a bad traffic:

gre2.png

 

as you can see the difference is only the port definition. It is always 443, but different objects. tcp_443_noage has the following settings (unfortunately, I do not know the purpose of this object, but it is used by some rules for VMWare and veeam):

443.png

 

What could be wrong and how to fix it?

Thank you!

0 Kudos
7 Replies
Chris_Atkinson
Employee
Employee

R81.30 is not a version that exists yet, do you mean R80.30?

What do your PBR rules look like?

0 Kudos
Exonix
Contributor

it is R81.10, I've correted this information.

pbr1.png

0 Kudos
abihsot__
Advisor

oh, I was not aware you can attach PBR table based on FW rule number. How would that work if you add another rule above and the whole thing shifts?

 

As per port definition, it is probably some workaround for backup team with long running backups etc. I would suggest for regular user traffic sticking with standard https object.

 

I believe there was major PBR redesign some time ago - at least that's what I understood from release notes. We still have some incorrectly performed routing by PBR too, but on R80.40.

0 Kudos
Exonix
Contributor

after adding a new rule the number in the PBR is also changed. And yes, this is not only one problem with PBR... We have another case with CP Support where we have workaround (adding disabled rule before impacted rule) but we can't use it in my case.

the non-standart port is not defined in the Rule for Zscaler and appears only in the logs. How FW decides which object to use?

logs1.png

0 Kudos
the_rock
Champion
Champion

Run ip r g and then IP address as a destination and verify it is indeed correct (from expert mode).

0 Kudos
Exonix
Contributor

this looks good, since eth1 is the external interface through which the gre tunnel naturally goes:

ip r g 18.185.14.90
18.185.14.90 via 194.xxx.xxx.xxx dev eth1 src 194.yyy.yyy.yyy
cache

PhoneBoy
Admin
Admin

A “different” service could be necessary if, for instance, you want certain HTTPS traffic to have a different timeout than the default.
I suspect there may be some issue with PBR, in which case you will probably need TAC assistance.

0 Kudos