Are you using IPSLA on the firewall?
Why dont u use redundant interface?
Have both firewalls dual homed to the ISP.
If a link fails the active firewall will fail the link over.
If the firewall fails over the secondary firewalls redundant interface continues to forward.
Chris
> On 25 Apr 2015, at 7:54 am, Cisco Fanatic <ebay_products_at_hotmail.com> wrote:
>
> sorry, I am not sure why the formatting of the configuration is not coming right. Trying one more time.
>
> !
> interface Loopback5
> ip address 10.199.199.52 255.255.255.255
> !
> ip sla 51
> icmp-echo 60.22.210.210 source-ip 10.199.199.52
> request-data-size 100
> threshold 180
> timeout 1000
> frequency 12
> ip sla schedule 51 life forever start-time now
> !
> ip sla 52
> icmp-echo 54.10.14.110 source-ip 10.199.199.52
> request-data-size 100
> threshold 180
> timeout 1000
> frequency 12
> ip sla schedule 52 life forever start-time now
> !
> track 51 ip sla 51 reachability
> delay down 17
> !
> track 52 ip sla 52 reachability
> delay down 17
> !
> ip access-list extended IGW
> permit ip 192.136.12.0 0.0.0.255 any
> !
> route-map TEST permit 10
> match ip address IGW
> set ip next-hop verify-availability 72.100.121.81 1 track 51
> set ip next-hop verify-availability 72.100.121.81 2 track 52
> set ip next-hop 10.5.11.2
> !
> interface GigabitEthernet0/5.1
> ip address 10.70.70.2 255.255.255.252
> ip policy route-map TEST
> !
> ip route 0.0.0.0 0.0.0.0 72.100.121.81 track 51
> ip route 0.0.0.0 0.0.0.0 58.148.120.254 50 track 52
> !
>
>
>
> ----------------------------------------
>> From: ebay_products_at_hotmail.com
>> To: ccielab_at_groupstudy.com
>> Subject: RE: IPSLA
>> Date: Fri, 24 Apr 2015 16:49:24 -0700
>>
>> Configuration:
>> !interface Loopback5 ip address 10.199.199.52 255.255.255.255!ip sla 51
>> icmp-echo 60.22.210.210 source-ip 10.199.199.52 request-data-size 100
>> threshold 180 timeout 1000 frequency 12ip sla schedule 51 life forever
>> start-time now!ip sla 52 icmp-echo 54.10.14.110 source-ip 10.199.199.52
>> request-data-size 100 threshold 180 timeout 1000 frequency 12ip sla schedule
>> 52 life forever start-time now!track 51 ip sla 51 reachability delay down
>> 17!track 52 ip sla 52 reachability delay down 17!ip access-list extended IGW
>> permit ip 192.136.12.0 0.0.0.255 any!route-map TEST permit 10 match ip address
>> IGW set ip next-hop verify-availability 72.100.121.81 1 track 51 set ip
>> next-hop verify-availability 72.100.121.81 2 track 52 set ip next-hop
>> 10.5.11.2!interface GigabitEthernet0/5.1 ip address 10.70.70.2 255.255.255.252
>> ip policy route-map TEST!ip route 0.0.0.0 0.0.0.0 72.100.121.81 track 51ip
>> route 0.0.0.0 0.0.0.0 58.148.120.254 50 track 52!
>>
>>
>>> From: ebay_products_at_hotmail.com
>>> To: ccielab_at_groupstudy.com
>>> Subject: RE: IPSLA
>>> Date: Fri, 24 Apr 2015 16:41:19 -0700
>>>
>>> Ok, I borrowed a lab setup and tried to replicate this, it is not working
>> the
>>> way I expected. Not sure what is wrong in the configuration?
>>>
>>> !interface Loopback5 ip address 10.199.199.52 255.255.255.255!ip sla 51
>>> icmp-echo 60.22.210.210 source-ip 10.199.199.52 request-data-size 100
>>> threshold 180 timeout 1000 frequency 12ip sla schedule 51 life forever
>>> start-time now!ip sla 52 icmp-echo 54.10.14.110 source-ip 10.199.199.52
>>> request-data-size 100 threshold 180 timeout 1000 frequency 12ip sla
>> schedule
>>> 52 life forever start-time now!track 51 ip sla 51 reachability delay down
>>> 17!track 52 ip sla 52 reachability delay down 17!ip access-list extended
>> IGW
>>> permit ip 192.136.12.0 0.0.0.255 any!route-map TEST permit 10 match ip
>> address
>>> IGW set ip next-hop verify-availability 72.100.121.81 1 track 51 set ip
>>> next-hop verify-availability 72.100.121.81 2 track 52 set ip next-hop
>>> 10.5.11.2!interface GigabitEthernet0/5.1 ip address 10.70.70.2
>> 255.255.255.252
>>> ip policy route-map TEST!ip route 0.0.0.0 0.0.0.0 72.100.121.81 track 51ip
>>> route 0.0.0.0 0.0.0.0 58.148.120.254 50 track 52!
>>> yuri
>>>
>>>> From: ebay_products_at_hotmail.com
>>>> To: ccielab_at_groupstudy.com
>>>> Subject: IPSLA
>>>> Date: Fri, 24 Apr 2015 13:03:18 -0700
>>>>
>>>> The idea is to test Internet connectivity from 2 different connections.
>> If
>>> one
>>>> link fails, the traffic flows through the other link. I have a firewall
>> in
>>>> between.
>>>> The issue is that when I am using IPSLA, since the firewall are stateful
>>> the
>>>> inbound and outbound traffic should be coming from the same interface.
>>>> I don't have lab hours but will try to get some topology build next
>>> weekend.
>>>> Want to check with smart men and women if the link below can solve this?
>>>> Specially the traffic going out and coming back is stateful.
>>>> https://learningnetwork.cisco.com/thread/54245?start=0&tstart=0
>>>> yuri
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Sat Apr 25 2015 - 20:09:14 ART
This archive was generated by hypermail 2.2.0 : Sat May 02 2015 - 12:03:21 ART