Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6095
Views
10
Helpful
17
Replies

Policy Based Routing Issue

Leon Brierley
Level 1
Level 1

‎07-13-2015 05:28 AM - edited ‎03-08-2019 12:56 AM

Hi all

 

I am trying to resolve an issue with some PBR on a Cisco 3850. Basically, i want to route internet traffic for one specific vlan to a new firewall

I have created a test SVI (vlan 888 - 10.77.88.254/24) and i am matching traffic with a souce IP of 10.77.88.0/24 (ip default next-hop - new firewall ip) All other SVIs should route via the old firewall and the switch has a route to this (10.0.0.0/8 via old firewall ip)

 

I have a client PC in the test vlan 888, when i apply the policy to the SVI and turn on Policy Routing debugging i see the below messages


198391: Jul 13 11:06:05: IP: route map INTERNET, item 10, permit
198392: Jul 13 11:06:05: IP: s=10.77.88.1 (Vlan888), d=10.77.88.255, len 78, policy rejected -- normal forwarding
198393: Jul 13 11:06:06: IP: s=10.77.88.1 (Vlan888), d=10.77.88.255, len 78, policy match
198394: Jul 13 11:06:06: IP: route map INTERNET, item 10, permit
198395: Jul 13 11:06:06: IP: s=10.77.88.1 (Vlan888), d=10.77.88.255, len 78, policy rejected -- normal forwarding
198396: Jul 13 11:06:07: IP: s=10.77.88.1 (Vlan888), d=10.77.88.255, len 78, policy match
198397: Jul 13 11:06:07: IP: route map INTERNET, item 10, permit
198398: Jul 13 11:06:07: IP: s=10.77.88.1 (Vlan888), d=10.77.88.255, len 78, policy rejected -- normal forwarding
198399: Jul 13 11:06:20: IP: s=10.77.88.1 (Vlan888), d=10.77.88.255, len 78, policy match
198400: Jul 13 11:06:20: IP: route map INTERNET, item 10, permit
198401: Jul 13 11:06:20: IP: s=10.77.88.1 (Vlan888), d=10.77.88.255, len 78, policy rejected -- normal forwarding
198402: Jul 13 11:06:20: IP: s=10.77.88.1 (Vlan888), d=10.77.88.255, len 236, policy match
198403: Jul 13 11:06:20: IP: route map INTERNET, item 10, permit
198404: Jul 13 11:06:20: IP: s=10.77.88.1 (Vlan888), d=10.77.88.255, len 236, policy rejected -- normal forwarding
198405: Jul 13 11:06:20: IP: s=10.77.88.1 (Vlan888), d=10.77.88.255, len 78, policy match


It seems the policy is rejected and then matched, over and over. I believe what should happen is that if a route exists, then normal forwarding should take place, but if no route exists then the packet should be policy-routed

 

Can anyone help decipher what is going on with this?

 

Many thanks

Leon

Labels:
0 Helpful
17 Replies 17

Leon Brierley
Level 1
Level 1
In response to Peter Paluch

‎07-14-2015 05:54 AM

Thanks Peter. Yes, looks like it should. I think now that there is some kind of asymetric routing going on with the new firewall. There appears to me some messages in the syslog on there..

0 Helpful

Peter Paluch
Cisco Employee
Cisco Employee
In response to Leon Brierley

‎07-14-2015 04:08 PM

Hi Leon,

Okay. I am not entirely sure if you consider this issue to be covered sufficiently so please feel more than welcome to revisit this thread and ask further.

Best regards,
Peter

0 Helpful

Leon Brierley
Level 1
Level 1
In response to Peter Paluch

‎07-15-2015 04:05 AM

Hi Peter

 

Managed to get to the bottom of this in the end. So the PBR was working (ip next-hop) but the ASA was dropping TCP packets as there was some asymmetric routing created by the PBR. I fixed this by using TCP state bypass for local addresses. Thanks for your help with this

Leon

0 Helpful
Customers Also Viewed These Support Documents