×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Failover two ISP connection.

Unanswered Question

Hello everyone,


Here my current situation.

I currently have 3 ISP providers, 2 of them are our own and the other is provide by our parent company through the WAN link, I also Have two Physical Segments, 10.10.4.x and 10.10.8.x each is assighed its own Internet connection, these two segments are connected via a router 2600(10.10.4.253, 10.10.8.253) currently 10.10.4.x get internet access from FW1 and 10.10.8.x gets internet access from FW2. What I would like to do, or find out if I can set up the router to failover to the opposite FW if one of the FW goes down. say if FW1 goes down 10.10.4.x internet traffic should get routed to FW2 and vice Versa. here is my current config.


ip access-list extended int_routes

deny ip any 10.0.0.0 0.255.255.255

deny ip any 172.16.0.0 0.15.255.255

deny ip any 192.168.0.0 0.0.255.255

permit ip any any


route-map groupa permit 10

match ip address int_routes

set ip address next-hop FW1


route-map groupb permit 10

match ip address int_routes

set ip address next hop FW2


interface gigabitEthernet 0/1

ip policy route-map groupa


interface gigabitEthernet 0/10

ip policy route-map groupb


I tried to add a second next-hop to group a with the ip address of FW2 but it did work. it just time out. let me know if i am missing something from in my config.



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mounir.mohamed Sat, 01/20/2007 - 11:19
User Badges:
  • Gold, 750 points or more

Dear,


This issue because the outgoing interface facing multi access network (LAN segment)


It's give you timeout because the address still founded on the ARP even if it's incomplete the router will keep trying to find the ARP recored for the failed FW till find it or timeout(4 hours)during this the traffic routed to null, so the traffic never forwarded to the second FW address,

So i guess If you can use tow different HSRP groups on the firewalls and overlap both groups to be like that

(FW1=ACTIVE in group1 and standby in group2, FW2=ACTIVE in group2 and standby in group1)


Then set the next-hop ip to the active FW then standby address in each group (overlap)


So now you can solve the ARP issue as one of the firewalls must replay with the active group MAC address.


Please rate helpful posts


Best Regards,

Mounir Mohamed

mounir.mohamed Sat, 01/20/2007 - 11:54
User Badges:
  • Gold, 750 points or more

Hi mate,


Sorry for that i understand your design wrong, i was think that your FW is IOS-FW, also i was think that both FWs connected to the same segment via different interfaces, HSRP is ideal solution if your firewalls supporting HSRP and both of them connected to the switch or at least both switches interconnected, if this matrix match your design so let me know and i will provide you with the design.


Please rate helpful posts.


Best Regards,

Mounir Mohamed

Actions

This Discussion