sessions dropping, asymmetric paths, intermittent timeouts.
Routing tables looked clean.
No interface down.
No obvious errors.
Turned out to be a route loop inside Palo Alto.
Context 👇
Multi-VR environment
Static routes + OSPF/BGP
Route redistribution enabled
Everything looked “correct” on paper
What actually went wrong ❌
A static route was redistributed into BGP
The same prefix came back with equal or better preference
Palo Alto installed it again
Traffic started looping silently
No hard failure.
Just poor user experience.
How we identified it 🔍
show routing route → same prefix from multiple sources
show routing protocol bgp rib-in → self-originated routes learned back
Traffic logs showing asymmetric flow
Packet capture → TTL decrement exposed the loop
Fix & best practices ✅
Avoid blind bi-directional redistribution
Use route-maps / filters to block self-originated routes
Maintain a single source of truth (static or dynamic)
Tag redistributed routes and deny them on re-entry
Always validate with real traffic, not just routing tables
Key takeaway 💡
Route loops don’t always bring firewalls down —
they quietly destroy performance.
Curious how others design safe redistribution in Palo Alto environments.
No comments:
Post a Comment