Screen OS

Hi everyone.

 

I am new about ISG-2000.

 

I have a ISG-2k on NAT,

I have 2 ISP, 1: 280mbps and 2: 50mbps

 

I did it a new vroute and have 2 new zones (untrust2 and trust2) so whit that I can user always the two ISP.

 

But my question is how I can do to move all traffic from a vrouter to another when a ISP is down ? (all static routing)

 

thanks for all, and sorry my bad English 😞

The issue that you run into with this type of setup is the NAT.  Generally speaking, you would NAT the traffic to one address for one ISP and another address for the other ISP.  When you fail the traffic over to the other ISP, it would come from that address.  This would break anything that is static or any existing sessions.

Hi rseibert

 

Sorry but I dont understand, exacly what I need to do?

 

Thanks

Stateful failover is not going to happen.  All sessions would reestablish using the new NAT IP.

Thanks for answer

 

the news reestablish sessions is no problem for me, 

But I want to know how user both ISP (2 vrouter, 2 static gateways) and when one of them come to down all traffic nat come to the other vrouter using the other gateways.

 

Thank you.

You would create a floating static route in each VR.  For example

 

set route 0.0.0.0/0 int eth0/0 gateway 10.1.1.1

set route 0.0.0.0/0 vr Untrust2-vr preference 30

 

Then you would use interface track-ip to monitor an upstream IP address.

 

set int eth0/0 monitor track-ip ip x.x.x.x

 

 

You would need to configure the above settings for both ISP links/VRs.

Thank you.

 

I will try.

mmm I have problem, cause it dont have track-ip enable ....

 

Frewall(M)-> set interface ethernet3/2 monitor ?
interface monitor interface
threshold failure threshold
zone monitor zone

 

no show the option track-ip, anyone know why happend ?

 

Thanks

Because it is in a cluster you will need to define a manage-ip on the interface you are going to use track-ip on. The ping packets will source from the manage-ip, allowing each device to respond.

Thank you.

 

I have like this the config:  100.100.100.117 > examen IP of gateway of my ISP2

 

set interface ethernet3/2 monitor track-ip ip
set interface ethernet3/2 monitor track-ip ip 100.100.100.117 interval 3
set interface ethernet3/2 monitor track-ip ip 100.100.100.117 time-out 2
set interface ethernet3/2 monitor track-ip ip 100.100.100.117 threshold 4
unset interface ethernet3/2 monitor track-ip dynamic

 

but when I did the interface to down (link ISP2) the traffic no come to do nat from Untrust2 (zone inside of vrouter called ISP2)

 

I think the problem is the vrouter about the ISP1 no know how switch the traffic from the zone "Untrust2" of the vrouter called ISP2.

 

how  I need to do?

 

Thanks for all.

Hi,

 

Have you configured redundant routes as pointed out by Bob earleir?

 

Something like:

 

set route 0.0.0.0/0 int eth3/2 gateway x.x.x.x

set route 0.0.0.0/0 vr <Backup ISP VR> preference 30

 

The track-ip setup will bring down the first route upon failure and the second route will handle traffic.

 

Can you share your current configuration? Please replace all public IPs and sensitive configuration.

of course. here it is. the complete config whitless the passwors and originals IPs

 

I have 2 vrouter

 

trust-vr (the ISP with 300mbps)

ISP2 (the isp with 50mbps)

 

any each vrouter have a default router and trust and untrust zone, but I want what you like describe.

 

a backup route for the ISP2 is down, all traffic on vrouter ISP2 can be out to internet by trust-vr

 

Thanks to all.

Your ISP-2 VR configuration needs tweaking.

 

1. You have not configured the second route recommended by Bob:

 

set route 0.0.0.0/0 vr trust-vr preference 30 >>>>> Add this in ISP-2 VR for the traffic to be pushed through ISP-1 when ISP-2 is down

 

2. Remove the 'permanent' flag from the default route and tweak the preference as below:

 

set route 0.0.0.0/0 interface ethernet3/2 gateway 90.145.137.97 preference 20

set route 0.0.0.0/0 vr trust-vr preference 30

 

 

How does it work?

The firewall will probe 90.145.137.97 continuosly with ICMP. When there is no response, e3/2 will be DOWN logically. So, the route with preference 20 will also go down. The route with preference 30 will become active and send all traffic to Trust-VR (ISP-1).

 

One recommendation: It may not be a good idea to track the ISP gateway for route failover. Because, most of the times when ISP backbone is down, the gateway will still be up and answering to probes from firewall. It would be a good idea to track something on the internet, like 4.2.2.2, 8.8.8.8 or a public server.

 

Thank you man, 

 

I dont have idea to say thank you for your help 

 

I try this some minutes ago for the low traffic and all perfect fine.

 

Thanks... the ISG is a great machine 😄

 

 

You are welcome, glad I could help! 🙂