Issue Description:
We configured PBR for one LAN IP Address but once configured we are unable to access the Server Locally. We configured PBR for one LAN IP Address but once configured we are unable to access the Server Locally.
Handling process
called the customer to get more details about the issue:
1- PBR to force server to go to firewall
2- Once configured not even same subnet can communicate with the server
3- collect the topology
4- All devices go to the proxy except the 10.x.x.13 server go to firewall
5- Traffic Path
a) Voice server 10.x.x.13 to firewall
b) 10.x.x.11 server(has no pbr) is to the core switch
c) Hence the icmp reply from the voice server comes to firewall but the request packet is missing on USG ; the traffic is dropped
Solution:
The PBR need adjustment --> any server in 10.x.x.y needs to talk to 10.x.x.13 should go to firewall; so i add Add this rule to acl 3001 (pbr matching access list)
Rule 10 permit ip destination 10.40.5.13.0
Before
traffic classifier XXX operator or precedence 5
if-match acl 3001
#
acl number 3001
rule 5 permit ip source 10.x.x.13 0
#
#
traffic behavior xxx
permit
redirect ip-nexthop 10.40.x.10
#
traffic policy xxx match-order config
classifier xxx behavior xxx
#
After
traffic classifier XXX operator or precedence 5
if-match acl 3001
#
acl number 3001
rule 5 permit ip source 10.x.x.13 0
rule 10 permit ip destination 10.x.x.13 0
#
#
traffic behavior xxx
permit
redirect ip-nexthop 10.40.x.10
#
traffic policy xxx match-order config
classifier xxx behavior xxx
#
