Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4797
Views
15
Helpful
15
Replies

ASA 5508-X PBR Wrong Interface Selection

Go to solution
LordBoBCUP
Level 1
Level 1

‎09-26-2018 05:11 PM - edited ‎02-21-2020 08:17 AM

Hi, I have setup a PBR to route traffic matching an ACL to a second interface. The problem I have is when running debug policy-map I get 

 

pbr: First matching rule from ACL(9)
pbr: route map route-xxx, sequence 10, permit; proceed with policy routing
pbr: evaluating next-hop 203.78.115.123
pbr: no connected route to next-hop 203.78.115.123 found
pbr: policy based routing could not be applied; proceeding with normal route lookup

or when I run packet-tracer I get:

 

 

Phase: 1
Type: PBR-LOOKUP
Subtype: policy-route
Result: ALLOW
Config:
route-map route-xxx permit 10
 match ip address route-xxx
 set ip next-hop 203.78.115.123
Additional Information:
 Matched route-map route-xxx, sequence 10, permit

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 120.1.2.3 using egress ifc  External-Internet

203.78.115.123 is the gateway IP configured for the interface we want to send the traffic for, so its connected via 203.78.115.122. Even if I specify the next hop as 203.78.115.122 I get the exact same results in packet tracer and debug.

I have a default route with a metric of 2 for the second interface, I also have a NAT rule allowing traffic out on that interface too. 

object network LAN1
 nat (LAN,External-ISP2) dynamic interface
object network LAN
 nat (LAN,External-ISP1) dynamic interface

route External-ISP1 0.0.0.0 0.0.0.0 120.1.2.3 1
route External-ISP2 0.0.0.0 0.0.0.0 203.78.115.122 2

I can clearly see the PBR is being evaulated so its correctly applied to the interface, its matching the traffic, so the ACL is configured correctly. The problem I have is its always picking the default route because it can't see the second interface as directly connected, yet the route table shows it..... Can anyone suggest where I've gone wrong?

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 120.72.83.25 to network 0.0.0.0

S*       0.0.0.0 0.0.0.0 [1/0] via 120.72.83.25, External-Internet
C        120.1.2.0 255.255.255.248 is directly connected, External-Internet
L        120.1.2.3 255.255.255.255 is directly connected, External-Internet
C        192.168.20.0 255.255.255.0 is directly connected, LAN
L        192.168.20.254 255.255.255.255 is directly connected, LAN
C        202.78.115.120 255.255.255.248 is directly connected, External-VPN
L        202.78.115.123 255.255.255.255 is directly connected, External-VPN

 

0 Helpful
15 Replies 15

Go to solution
LordBoBCUP
Level 1
Level 1

‎10-03-2018 02:58 PM

Hi All,

It appears that the configuration was 90% correct in the original deployment. The major problem was the gateway IP was incorrect so the suggestions did help get me on the right track there. The rest of the issues were caused by an ISP problem which they have now acknowledged and fixed for us. 

Thank you all for your assistance.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card