Multiple Destination Routing

Unanswered Question

I have a setup where I have 2 seperate data circuits, a primary and a redundant connection.  In the event of the primary connection going offline, I need to secondary connection to pick up without a configuration change.


I have an application server that is setup with microsoft clustering service.  I point the primary and secondary connections to the VIP of the cluster.  I can recive data on the primary connection, but when I switch to the secondary connection I get a routing issue.  Basicly the traffic is recived over the secondary connection, but it replies to the primary connection.


How would I configure the route so that it times out on the first connection and tries the second.  Here is what I have so far.


Circuit 1 - 192.168.5.10

Circuit 2 - 192.168.10.10


FireWall 1 - 10.10.4.10

FireWall 2 - 10.10.4.20


Cluster IP - 10.10.10.50


Circuit 1 ---> FireWall 1 ---> Cluster IP <--- FireWall 2 <--- Circuit 2


Router configuration:


ip route 192.168.5.0 255.255.255.0 10.10.4.10 10

ip route 192.168.10.0 255.255.255.0 10.10.4.10 10



ip route 192.168.5.0 255.255.255.0 10.10.4.20 20

ip route 192.168.10.0 255.255.255.0 10.10.4.20 20


Is there a better way to set the routing so that it will know which firewall to respond to?


*note I just set the configuration and am waiting for my next deplyment to test.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.


/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

This would work if I could ping the gateway of the circuit.  The address available to me is the same for both circuits, so setting up EEM technically does what I need, I just have no way to setup a variable for the switch.  I am more looking for a way that the server (VIP) can route back to the origination of the request.  So if Circuit 2 made the request to the VIP, it would respond to Circuit 2, likewise with Circuit 1.


I am looking for a none intervention application.  As of now I am just going to script the changes in case of the need for a failover, but I would love to be able to automate this somehow, I just can't think of a direct solution.


Thanks for the suggestion though.

Ganesh Hariharan Wed, 06/02/2010 - 10:01


I have a setup where I have 2 seperate data circuits, a primary and a redundant connection.  In the event of the primary connection going offline, I need to secondary connection to pick up without a configuration change.


I have an application server that is setup with microsoft clustering service.  I point the primary and secondary connections to the VIP of the cluster.  I can recive data on the primary connection, but when I switch to the secondary connection I get a routing issue.  Basicly the traffic is recived over the secondary connection, but it replies to the primary connection.


How would I configure the route so that it times out on the first connection and tries the second.  Here is what I have so far.


Circuit 1 - 192.168.5.10

Circuit 2 - 192.168.10.10


FireWall 1 - 10.10.4.10

FireWall 2 - 10.10.4.20


Cluster IP - 10.10.10.50


Circuit 1 ---> FireWall 1 ---> Cluster IP <--- FireWall 2 <--- Circuit 2


Router configuration:


ip route 192.168.5.0 255.255.255.0 10.10.4.10 10

ip route 192.168.10.0 255.255.255.0 10.10.4.10 10



ip route 192.168.5.0 255.255.255.0 10.10.4.20 20

ip route 192.168.10.0 255.255.255.0 10.10.4.20 20


Is there a better way to set the routing so that it will know which firewall to respond to?


*note I just set the configuration and am waiting for my next deplyment to test.

Hi Tim,


Need some more information on your setup ...Your firewall is configured in cluster mode active/passive what is make and model of the firewall and traffic from server is configured as vip of routers  as gateway which are running HSRP.


Ganesh.H

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

The firewalls are not setup in a cluster, they are standalone ASA 5520s.  The routers are 4500 running HSRP on the all networks (10.10.10.4.x, 10.10.10.x).  The issue is more with the destination route through the firewalls.  If I request traffic from circuit 2, the MSCS (VIP) responds to Circuit 1 because of a static route.  If I weigh the routes it does not work because Circuit 1 is still alive and can receive traffic.  In order to request traffic from circuit 2 to the VIP I have to change the static routes.

NoChanceIV Wed, 06/02/2010 - 19:03

Tim,


Do you have HSRP on the inside or outside of the routers? If it is on the outside, how do you deteremine your gateway for the client machines on the inside with two possible routers acting as gateways? Also, which gateway is your client set to use by default?

I have no control of the network outside the firewall, the inside routers are set with HSRP with Router 1 being the primary router.


Here is how a specific vlan is configured.


Router 1

interface Vlan X

description Server Subnet

ip address 10.10.10.1.2 255.255.255.0

standby 0 ip 10.10.10.1

standby 0 preempt


Router 2

interface Vlan X

description Server Subnet

ip address 10.10.10.1.3 255.255.255.0

standby 0 ip 10.10.10.1




The server in question connects to the inside HSRP VIP 10.10.10.1.

Actions

This Discussion