ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

Dual ISP Question

04.29.12   |  
‎04-29-2012 11:34 PM

I'm trying to figure out the best way to use 2 ISP's at the same time for redundancy.


I believe ECMP will cause problems for me because I'm using NAT.  Source routing will be problematic because I have multiple inside interfaces (internal subnets wouldn't be able to see each other).  I could use PBR.  But I think simple static routes could work.


Instead of using default routes, I'll do this: to ISP a pref 1 to ISP b pref 2 to ISP b pref 1 to ISP a pref 2 to ISP a pref 1 to ISP b pref 2 to ISP b pref 1 to ISP a pref 2
(use IP tracking to fallback to secondary route in case ISP fails)
That leaves me with a few questions. 
1.  If I also host inbound services (a web server I give people access to from the internet), will asymmetric traffic give me problems?  Ie, if somebody *from* ISP a connects to my web server, and my return route is to ISP b, will traffic break?  Both ISP's will be in the same zone.  Or do the interfaces actually have to be the same as well?
2.  Or, when the return traffic flows through the netscreen (2nd packet of the tcp session) will the netscreen ignore the routing table and see that it had an existing session and send it back out the same interface the first packet came in on?
ScreenOS Firewalls (NOT SRX)

Re: Dual ISP Question

04.30.12   |  
‎04-30-2012 04:45 AM
The existing session should determine where the return traffic will go. I'm just wondering if the reverse route lookup during session setup will be satisfied with an inactive route...
ScreenOS Firewalls (NOT SRX)
Accepted by topic author JulioCassettez
‎08-26-2015 01:27 AM

Re: Dual ISP Question

04.30.12   |  
‎04-30-2012 01:53 PM

Inbound services will probably work fine. You can check how the firewall handles reverse routing by issuing the command:


get flow | include clear-text


The default setting is "prefer reverse route", which means that the firewall will first try to find a route back to the originating host. If there is no active route, then packets are sent back through the incoming interface to the MAC-address where packets came from (upstream router).

You can change the default behavior as follows:


set flow reverse-route clear-text always (always do a reverse route lookup)

unset flow reverse-route clear-text (no route lookup, always use the cached MAC-address)



ScreenOS Firewalls (NOT SRX)

Re: Dual ISP Question

05.03.12   |  
‎05-03-2012 09:55 AM

Excellent.  Thanks for the response!