Fortinet's don't do failover well between candidate next hops on static routes with health checks....
You need to use OSPF/RIP all around... forget sla's
-Joe
-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Karim Jamali
Sent: Friday, January 13, 2012 12:05 PM
To: Cisco certification
Subject: OT: Redundancy & Failover
Dear Experts,
I need your support on the following scenario. I have a fortigate firewall which is connected to 2 internet routers (Cisco Routers). Now the objective I am trying to reach is to have full redundancy in terms of internet connection. I have thought of doing HSRP/VRRP and putting both routers on the same subnet and using tracking IP addresses to control pre-emption however this is not valid as the customer wants to keep his IP addressing the same. Thus each router is connected to the firewall on a seperate subnet (public subnet) where the firewall is doing the PAT/NAT..etc
The Fortigate firewall only seems to have a static route which can point to a single next-hop, and there is no tracking functionality for those static routes. I have thought of configuring OSPF between the fortigate/Cisco routers, and using default-information originate attached to a route-map on both Cisco Routers with different metrics. However, when I am using the route-map I am trying to search for an SLA to match because i don't want to match the outside interface being "UP" as this doesn't mean that internet will be UP. Can anyone elaborate/help me find a better mechanism? So the whole line of thought is that if internet is available on router A by pinging a public DNS server for instance, I will generate this default route into OSPF, else i will remove it and Router B will be used for internet connectivity.
Thanks
-- KJ Blogs and organic groups at http://www.ccie.netReceived on Fri Jan 13 2012 - 17:41:37 ART
This archive was generated by hypermail 2.2.0 : Thu Feb 02 2012 - 11:52:51 ART