Rearranging of Firewall on a LAN for Automatic traffic switching.

Unanswered Question
Jan 21st, 2008

I have a problem of trying to get automatic switching of traffic onto a VPN tunnel if the Primary LL/Sat link fails.

The current scenario is like this:

The firewall is connected to a layer 2 LAN switch, the WAN router that host the Leased Line/Sat link is also connected to the same LAN switch as the Firewall.

In cases where the LL/Sat fails, the traffic is manually forced to use the VPN tunnel by unplugging the cable that connects the Telecom DTU to the router serial interface. The traffic is not switching automatically to the VPN tunnel.

I need to make this happen automatically, and to avoid the mannual way of forcing the traffic to the VPN tunnel.

I have attached a drawing of how I want to reconnect the devices. Please confirm if this type of design is recommended or not. I also would like some help on how to configure automatic switching of the traffic if one fails.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jbayuka Fri, 01/25/2008 - 10:51

A problem with static routes is that no inherent mechanism exists to determine if the route is up or down. The route remains in the routing table even if the next hop gateway becomes unavailable. Static routes are removed from the routing table only if the associated interface on the security appliance goes down. In order to solve this problem, a static route tracking feature is used to track the availability of a static route and, if that route fails, remove it from the routing table and replace it with a backup route.

This document provides an example of how to use the static route tracking feature on the PIX 500 Series Security Appliance or the ASA 5500 Series Adaptive Security Appliance in order to enable the device to use redundant or backup Internet connections. In this example, static route tracking allows the security appliance to use an inexpensive connection to a secondary Internet service provider (ISP) in the event that the primary leased line becomes unavailable.

In order to achieve this redundancy, the security appliance associates a static route with a monitoring target that you define. The service level agreement (SLA) operation monitors the target with periodic Internet Control Message Protocol (ICMP) echo requests. If an echo reply is not received, the object is considered down, and the associated route is removed from the routing table. A previously configured backup route is used in place of the route that is removed. While the backup route is in use, the SLA monitor operation continues to try to reach the monitoring target. Once the target is available again, the first route is replaced in the routing table, and the backup route is removed.

Refer to ASA/PIX 7.x: Redundant or Backup ISP Links Configuration Example for more information

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Actions

This Discussion