09-15-2011 08:45 AM
I am setting up and HA Active/Passive cluster with 2x SSG140. The cluster is up and operational in the test lab however I have a dilemma which I hope someone may be able to assist with:
I need the ability to fail over to 4 different ISP (I know right) - The goal is to have ISP1 as primary always, but if ISP1 fails I need ISP2 to become primary, and if ISP2 fails I need ISP 3 to become primary, and if ISP3 fails I need ISP4 to become primary.
I currently have this working with monitor tracking for the 4 ISP untrust interfaces which is great if a physical port fails, but I need to do some sort of ip tracking to track the next hop of the ISP so it will fail over with a non interface failure also. I may be wrong, but I believe if I do set ip tracking for VSD0 for all ISP next hop, than if any of the ISP ip tracking fails even if it is not the primary, it will cause a failover event? This is not the desired result but may work if it is the only way.
Also I am currently failing over via 4x default routes from trust to untrust with preference 5,10,15,20. Please let me know any other thoughts of doing this.
Any assistance on the best way to do this configuration would be greatly appreciated. If you need any more info please let me know.
09-16-2011 04:12 AM
I would generally use the interface specific track ip to detect these failures.
And I tend to use the carrier DNS server as the ping target. I've found many incidents where my carrier default gateway is still up but the route to the internet is not. The carrier DNS servers have great uptime so there are low false positives but also verify actual internet connectivity not just a reachable next hop.
09-20-2011 10:44 AM
Thanks spuluka. I have configured this by trial and error and failover is working correctly.
I am now having an issue with failover to an aggregated link (ae0) on an EX4200. This is how it is configured: 2x SSg140 NSRP active/passive cluster with e0/9 int trust zone on trust VR connected to 2x EX4200. EX4200 has ae0 has the L3 address /30 connected to e0/9 on FWA and e0/9 FWB. When failover occurs the EX4200 does not pass traffic over the failover interface unless the link to e0/9 FWA physically goes down.
Any help on this is greatly appreciated.
09-22-2011 07:00 PM
I don't think AE is the right type of connection for what you outline. AE is used to create an aggregated single link out of multiple ports. This would be used to increase bandwidth when needed.
What you describe above seems like a single ethernet link to the trust zone that just needs to failover when nsrp changes devices. You also probably do not need a layer 3 vlan interface for that trust zone on the switch. Since the nsrp cluster is the layer 3 interface for that trust zone, your switch really only needs a layer 2 vlan that connects to those two firewall ports. For this you would simply have the two eth0/9 ports connected to access ports on the same vlan. Instead of a /30 connector just create the subnet large enough for your trust zone hosts and connect the switch with enough access ports for this vlan.
You can put a layer 3 vlan if you want the switch to route locally. Just keep the two interfaces that connect to the firewall as separate access ports instead of an AE bundle. Also make sure the connection between these two devices uses the virtual ip address. Since you are using a /30 you won't be able to put separate manage ip addresses onto that trust interface e0/9. there will not be any available.
09-26-2011 08:36 PM
I am running OSPF on the trust interface (eth0/9) so that the SSG can learn routes to the local LAN instead of statically setting them.
This is why I did not want to use an entire /24 VLAN because then I can only cost the entire VLAN and any other hosts in that VLAN will have OSPF enabled.
Our network currently has many internal VLANs and the server VLAN xxx has ospf enabled as do all, but all the rest are passive and VLAN xxx is not. I am trying to get away from having a single cost VLAN for all OSPF devices, but instead do "mini" VLANs with a /30 connector for different devices that I need OSPF enabled with redundancy.
This would be simple if each device only had a single interface, but since I have the SSG140s in an active/passive pair I need two interfaces to share the same virtual IP for failover. This does work correctly when a firewall failover takes place but this is the only way I can make it work. Is there any other ways you can think of to make this work other that what I have described above or having an entire VLAN used up which does not allow me much control over OSPF?
Also I have configured seperate management interfaces because I will later create a seperate management network.
I have attached a quick dirty drawing (sorry no Visio at home) of what I am configuring.
I appreciate your input on all of this as I work toward making this "bullet proof" and learning
09-27-2011 03:08 PM
Thanks for the diagram, this is a lot clearer now.
In this case, I would recommend the following.
Remove the Aggregated ethernet interface.
Assign the /30 ip address to the vlan 300 interface
Assign ports 0/0/9 & 3/0/9 as access ports in vlan 300
This should give you what you are looking for. The way NSRP works is that the active device interfaces are all up and passing the sessions while the passive device is in standby. When the failover occurs the reverse is true.
The SSG ip addresses move with the failover.
The EX vlan interface ip is visible on either switch, so no matter which upstream SSG is in active mode you will have a path for the traffic.