Screen OS

We have a scenario that is demonstrated with the inserted diagram. We have two hub locations, one primary and one secondary, with internet access and remote sites that get internet through one of those two locations (they connect through ethernet virtual private lines). On top of that, each branch location will have a local, cellular backup connection that is to be used only for credit card processing (route to a single IP) in the case that both the hub and backup site lose internet connectivity at the same time. We are required to automate the failover so if the internet connection fails at the primary site, it reroutes to the secondary site and if both the primary and secondary site are down, ONLY traffic to a single IP to process credit card transactions should be allowed to route through the local cell connection. We've been playing around with OSPF a little bit as the branch routers need to be made aware if the static default routes at the primary and secondary hubs go down. However, we don't appear to be experienced enough with dynamic routing to get this to work. If anyone could provide some advice as to how to accomplish our goal, that would be very much appreciated! Also, we are really only interested in advertising default routes through dynamic routing (or the IP for credit card processing if necessary) as this is just for internet failover. Thank you in advance for your time and please let me know if I am unclear in any way.

Also, we are using SSG5 models in our test environment, all on 6.3.0r19.0.

You should just have to increase the interface cost for OSPF on your backup interface to 20.  The default value for cost is 10 which will then make the routes learned on the primary interface take precedence.

set interface NAME protocol ospf cost 20

Ths is on the OSPF tab of the web interface

For the local cell connection, I would put this interface into a separate virtual router.  This will isolate the default route here to that VR.  Then on your primary VR create a static route for your specific ip address and make the action forward to the other virtual router.  Since there is no default route to this VR in the main router none of the traffic will fail over to cell connection.

Thank you for your response! The problem I seem to be facing is that with OSPF, the default route from the branch to the primary only fails over to the backup location when the link goes down. I am using tunnel interfaces (since I am required to maintain IPsec VPN tunnels even across private lines) - tunnel.1 for primary and tunnel.2 for backup. So, for example, when I unplug the internet from the primary site, the tunnel.1 stays up through the private line. Since the line stays up, the route never switches to the backup site unless I sever the link between the branch and primary to take tunnel.1 down. I guess the scenario is that internet must switch over automatically even if the private lines between branch and primary stay up but internet only at primary goes down. I thought that OSPF would accomplish this by the primary site's router notifying the branch that its default route was down so it could switch over to the backup site's default route. Am I, perhaps, on the wrong path with what I'm trying to accomplish or am I still just doing something wrong? I'll have to get through this roadblock first before I move on to the cell part but what you said sounds like it may work and I'll take a look at testing soon. I should also add (although this probably makes little difference) that in the production scenario, there is only one physical link for the tunnel interfaces as the ISP is using VLAN to split the connections from location to location into separate EVC's. Thanks again for the response and let me know if you have further advice! 🙂

Shoot, it seems that my mistake all along was that I had advertise default route set to always... Once I removed that option, the route now flips back and forth while the tunnels are still up but only the ISP facing interface goes down.

Okay, I tested your idea of forwarding to a separate virtual router and that worked great! I set a default route with higher preference value than the OSPF (60 by default) and it forwards to the other VR which then only routes traffic for the single IP. I guess I could also do this through zones and policies but I figured it would be less intense on the device to block through routing rather than have it block through policy. I'm going to keep on testing to confirm everything is as expected but thank you so much for your advice!

I did some more testing and found that, since we have no dynamic routing with our ISP, obviously we didn't account for full automated failover if the interface goes down. So, I just used interface monitoring with track-ip and that seems to work pretty well for automatically shutting down the interface if the internet connectivity goes out. That worked really well with OSPF so I think I'll keep that as part of our solution. Thanks again!

Since you are using IPSEC VPN your other option would have been to use vpn monitor on the VPN to take the tunnel interface offline when the tunnel was lost.