Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
613
Views
0
Helpful
4
Replies

PBR not working like planed

Roger Vikstroem
Level 1
Level 1

‎05-23-2018 08:12 AM - edited ‎02-21-2020 07:48 AM

Hello.

I´m trying to set up PBR in our firepower but it only works half ways.

Default the PC is routed throu Router 1-Router 2-Firewall-Firepower to the SRV, we are trying to cut some routing because of problem so it would tke the route PC-Router 1-Firepower-SRV instead.

In Router 1 we put a static route to 192.168.10.50 for all PC on 10.161.8.*

In the Firepower I configured PBR the following way

 

Access-list ACL1 permit IP 192.168.10.50 10.161.8.0/24

Route-Map RM1 permit 10

   match IP address ACL1

   set IP next-hop 10.1.1.20

Interface Port-channel1.50

   policy-route route-map RM1

 

Ping from SRV to PC is working.

Ping from PC to SRV is not working, until I do a ping from SRV, then ping from PC to SRV starts to work.

 

Looks like the PBR only works when the session is initalized from the SRV, not from the PC.

Is there something I missing to configure or isn´t PBR the solution?

 

/Roger

Labels:
Preview file
83 KB
0 Helpful
4 Replies 4

Bogdan Nita
VIP Alumni
VIP Alumni

‎05-23-2018 11:44 PM

Hi Roger,

I am not sure why you are seeing this behavior (maybe because icmp is a stateless protocol), but I think you applied the route-map on the wrong interface. The route-map should be applied on the incoming interface, that should be in your case the interface to the server.

Did you test with anything else then icmp ?

 

HTH,

Bogdan

0 Helpful

Roger Vikstroem
Level 1
Level 1
In response to Bogdan Nita

‎05-24-2018 12:15 AM

Thx for the reply.

I been testing to apply the PBR on both incoming and outgoing with the same result.

I also tested RDP with the same result, I see the traffic going to the other firewall.

Could it be related to bug CSCvg29791, because we use subinterface, running version 6.2.2 on Firepower.

 

/Roger

0 Helpful

Bogdan Nita
VIP Alumni
VIP Alumni
In response to Roger Vikstroem

‎05-24-2018 03:21 AM

Don't think the bug is related, you are statically referencing the interface in your flexconfig.

0 Helpful

chrihussey
VIP Alumni
VIP Alumni

‎05-24-2018 08:52 AM

OK, I'm not familiar with the Firepower. But after looking at the diagram and if the PBR is supposed to work like it should on a router, the route map should be applied to the interface for the server and not the port channel to R1.

 

By applying it to the port channel interface to R1, the routing has already occurred and packets from the server go to the firewall. In this configuration you probably have asymmetrical routing occurring where the server goes to the firewall and the response comes back via the preferred path. That's probably why it sort of works from server to host and not the other way.

 

I could be wrong, but hope this helps.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card