Policy Based Routing Not routing out configured egress interface FTD - Cisco Community

440

Views

1

Helpful

5

Replies

I have setup a Route Based Site-Site Tunnel with Cisco Umbrella. Tunnel comes up fine. My issue is I'm using Policy Based Routing because I only want 80/443 traffic to go over the tunnel.

Packet tracer shows that PBR-Lookup matches the ACL and identifies the VTI, but the FTD doesn't resolve the egress to the VTI...but to the outside interface.

So the traffic isn't flowing over the tunnel to Umbrella, which is confusing since it is matching the ACL used by the PBR.

show route-map
route-map FMC_GENERATED_PBR_1730396602092, permit, sequence 5
Match clauses:
ip address (access-lists): Umbrella_Tunnel_Allow_Mailroom

Set clauses:
adaptive-interface cost Umbrella-VTI (0)

5 Replies 5

https://docs.umbrella.com/umbrella-user-guide/docs/configure-tunnel-with-cisco-secure-firewall

Check this

MHM

Thank you. Used this and followed the instructions to the letter. Still, the traffic in ACL not being sent to VTI interface.

I am sure you have all routing in place verify and check the below configuration guide :

https://support.umbrella.com/hc/en-us/articles/15671337422996-Guide-to-FTD-Application-Based-PBR-for-Umbrella-SIG

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Set clauses:
adaptive-interface cost Umbrella-VTI (0)

Set your clause / next-hop to be +1 of your own VTI address towards Umbrella.

Not sure what you mean.

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community