10-30-2008 02:14 PM
We have two SSG520s in a cluster. Active/Standby. It is a simple configuration designed just for redundancy of the firewall.
The interfaces are all identical as far as their paths go.
E/0 = Corporate Network
E/1 = Comcast (Internet)
E/2 = T1 (Internet)
E/3 = HA Link
I've had it configured for quite some time with policy based routing to route http(s) and ftp over the comcast link. Whenever Comcast gets flaky we are unable to browse the internet until I unplug the comcast router from E/1 in which case policy based routing sends http(s) and ftp over the T1 (default destination route for all other internet traffic). This affords us the ability to keep only our VPN connections on the T1 unless comcast fails but of course is a manual failover process at present.
I would like to configure it in such a way that if several ip addresses on the Internet are not pingable on the Comcast side, the interface is disabled so that I no longer have to manually disable.
I thought what I could use was track-ip under the E/1 interface, but got an error unknown keyword track-ip.
Upon further investigation I discovered that in a clustered environment ip tracking moves to NSRP, but it seems like my only choice with NSRP is to failover the whole firewall which will not get me what I want because the other firewall is configured with the same paths.
Is there anyway that I can configure NSRP version of track-ip to do the equivilent of interface failover?
11-02-2008 06:57 PM
Interface Failover config:
NSRP Lite config ( Non-VSD group 0):
Please follow the procedure to have tracking IP on interface and create a NSRP config( NON VSD group 0 ) in which you can select the VSI interfaces by your choice. The interface which will be used for interface failover , should not be selected as the VSI interface.
Untrust interfaces : Non VSI interface
All Trust interfaces : VSI interface
In this way you would have the NSRP setup( Active/Passive) and the interface failover setup.