Screen OS

Hi all,

 

I have 4 SSG devices configured with dynamic routing with OSPF (tunnels exist between "SSG1 an SSG2", "SSG2 and SSG4" "SSG4 and SSG3" "SSG3 and SSG1"). Now I want to prefer SSG2 - that means packets from SSG1 to SSG4 should be sent via SSG2 (not via SSG3, only if SSG2 fails).

 

I have changed the route preference on SSG2 from 60 to 40. When I review the routes on SSG2 the new preference value is shown. But this value is not published to the other SSG devices. (That means SSG1 still sends its packets to SSG4 via SSG3). I have disabled ospf on SSG2 and re-enabled - but the new values are not displayed.

 

What can I do to prefer SSG2 in creating routing entries?

 

Thanks for your help!

The route preference is local to the virtual router you configured it on and that information is not exchanged with other routers. It is used to determine the order of preference of different types of routes, e.g. OSPF vs. BGP route.

When you need to choose between two routes of the same type (OSPF in your case), then the route metric is used. You can control that value by adjusting the link Cost on a particular OSPF interface (edit interface, go to OSPF tab)

By default, your tunnel interfaces would have a cost of 10 assigned. You can lower that cost (or increase that of other interfaces) to prefer a particular link over others.

Since you are using SSG firewalls, you should configure link costs in such a way that traffic between two routers will go via the same path in both directions. In some cases, asymmetric routing can cause problems. That means you'd need to make changes on both SSG 1 and SSG 4.