SSG140 with 2 ISP Load Share/Track Fail

Hi all, I have a problem with SSG140, Iam suppose to have 3 ISP for my network and provide loadbalance/failover, my device is ISG2000, however Iam testing on SSG140 with the configuration below

------------------------------------------------------------------------------------------

set zone name "Z-ISP1"
set zone name "Z-ISP2"


set zone "Z-ISP1" vrouter untrust-vr
set zone "Z-ISP2" vrouter untrust-vr


set interface "ethernet0/9.1" tag 10 zone "Z-ISP1"
set interface "ethernet0/9.2" tag 25 zone "Z-ISP2"

set interface "ethernet0/8" zone "Trust"

set interface ethernet0/8 ip 10.10.250.1/25
set interface ethernet0/8 route
set interface ethernet0/9.1 ip 10.10.19.6/24
set interface ethernet0/9.1 route
set interface ethernet0/9.2 ip 10.10.25.30/24
set interface ethernet0/9.2 route


set interface ethernet0/9.1 dip 11  10.10.19.7 10.10.19.8
set interface ethernet0/9.2 dip 21  10.10.25.31 10.10.25.32

set vrouter untrust-vr route 10.10.18.1/32 interface eth0/9.1 gateway 10.10.19.1 per
set vrouter untrust-vr route 10.10.18.100/32 interface eth0/9.1 gateway 10.10.19.1 per
set vrouter untrust-vr route 10.10.18.5/32 interface eth0/9.2 gateway 10.10.25.1 per
set vrouter untrust-vr route 10.10.18.3/32 interface eth0/9.2 gateway 10.10.25.1 per


set interface ethernet0/9.1 monitor track-ip ip
set interface ethernet0/9.1 monitor track-ip threshold 100
set interface ethernet0/9.1 monitor track-ip weight 50
set interface ethernet0/9.1 monitor track-ip ip 10.10.18.1 weight 150
set interface ethernet0/9.1 monitor track-ip ip 10.10.18.100 weight 60

set interface ethernet0/9.2 monitor track-ip ip
set interface ethernet0/9.2 monitor track-ip threshold 100
set interface ethernet0/9.2 monitor track-ip weight 50
set interface ethernet0/9.2 monitor track-ip ip 10.10.18.5 weight 150
set interface ethernet0/9.2 monitor track-ip ip 10.10.18.3 weight 60

set vrouter untrust-vr route 0.0.0.0/0  int eth0/9.1 gateway 10.10.19.1
set vrouter untrust-vr route 0.0.0.0/0  int eth0/9.2 gateway 10.10.25.1

set vrouter untrust-vr max-ecmp-routes 2
set vrouter trust-vr max-ecmp-routes 2

set policy from trust to Z-ISP1 any any any nat src dip 11 perm log count
set policy from trust to Z-ISP2 any any any nat src dip 21 perm log count


set route 0.0.0.0/0 vrouter untrust-vr

------------------------------------------------------------------------------------------

My issue is when I simulate a down in one of the links (by disable vlan in switch connected to eth0/9), I have loss in packets 50% -+5, it's killing me why the FW keep forwarding the traffic to the interface disconnected.

PS: same config using two VR and export works like magic but Iam limited to 3 VR in total and my FW will have 3 ISP + Trust

Wisam Haider

CCNP, MCTS, MCITP, MCT