We have 2 SSG5 with extended license. 2 ISP will be used. However we do not have layer 2 switches on the untrust side for connecting the 2 ISP. So we have to hook 1 ISP to each SSG5.
I found this setup can be implemented on 5GT which supports NSRP-lite dual ISP. However this seems not working well on SSG5 since I always got config out of sync.
I was thinking to configure both ISP IP address information on both SSG5, but only plug in ISP-A to SSG-A and ISP-B to SSG-B, leaving ISP-B interface on SSG-A and ISP-A interface on SSG-B unpluged. Is this a working setup?
Hi, I would go with an Active/Passive NSRP cluster and connect each ISP to a physical box. You can then use NSRP whole-box-monitoring to track a specific group of IP's via ISPA. When ISPA goes down, then your cluster will failover and ISP2 will be active. Outside of the NSRP config, you will need two default routes. ISPA with a metric of 1, and ISPB with a metric of 2. I hope this helps.
John Judge JNCIS-SEC, JNCIS-ENT,
If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
Map two interfaces to Untrust zone, let's say eth0/0 and eth0/1. Connect eth0/0 to ISPA on the primary box and eth0/1 to ISPB on the secondary box. This solves the problem with different IP addressing on the ISP side.
In this case a NSRP failover is equivalent to the ISP failover.
What I forgot to mention is IP-tracking on the primary box. Configure one or more ISPA's pingable IPs for tracking: NSRP -> Monitor -> Track IP. Also enable preempt and change priority to a number below 100 on the primary box. Under the normal conditions the default gateway on the primary FW is that from the ISPA. Any routes through eth0/1 are inactive as this interface is always in the status "Down". It is not cabled at all. If IP tracking fails NSRP starts a failover. The backup FW has an active default route to the ISPB. It's eth0/0 is in the status "Down" and not cabled.
As soon as tracked IPs became reachable from the primary Box, preempt option switches back to the Master, after the hold-down time has elapsed. I usually configure a couple of minutes as the hold-down interval to avoid flapping.
There is no need to configure any monitoring features on the backup FW.