https://community.cisco.com/t5/network-security/flexconfig-not-working/m-p/4389145#M1080109 <P>Hi,</P><P>i got the solution.</P><P>anyway the default route to ISP1 will take all routes from routing table. so below configuration is planned and working now.</P><P>create extended ACL for specific subnet 10.10.10.0/24 which you want to redirect into ISP2 (standard ACL not support for Flex config suggested from Cisco TAC)</P><P>create route-map and add the extended ACL also specify the next-hop 123.123.123.123 as Firewall ISP2 gateway.</P><P>&nbsp;</P><P>Create flexconfig</P><P>interface Port-channel10<BR />policy-route route-map&nbsp;<STRONG>insert route-map object</STRONG></P><P>&nbsp;</P><P>then deploy the flex config.</P> Mon, 19 Apr 2021 05:13:51 GMT Vishnu_RR 2021-04-19T05:13:51Z https://community.cisco.com/t5/network-security/flexconfig-not-working/m-p/4388336#M1080074 <P>Hi,</P><P>we have ISP1 and ISP2. There is metric 1 for ISP1 and metric 2 for ISP2. both ISP are in separate zone. when i create flexconfig for specific souce with ISP2 which is not working and still hitting ISP1 only.\</P><P>&nbsp;</P><P>i have configured below flexconfig.</P><P>1. standard access-list = 10.10.10.0/24</P><P>2. route-map</P><P>3. flexconfig</P><P>route-map $Route-Map permit 10</P><P>set ip next-hop $ISP2_GW</P><P>&nbsp;</P><P>interface Port-channel2<BR />policy-route route-map $Route-Map</P><P>&nbsp;</P><P>do i need to do any more changes</P><P>When i do the packet-tracer shows 10.10.10.0/24 is hitting ISP1 only.</P> Fri, 16 Apr 2021 12:14:36 GMT https://community.cisco.com/t5/network-security/flexconfig-not-working/m-p/4388336#M1080074 Vishnu_RR 2021-04-16T12:14:36Z https://community.cisco.com/t5/network-security/flexconfig-not-working/m-p/4388375#M1080075 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1129046">@Vishnu_RR</a>&nbsp;</P> <P>Are you using FMC or FDM to configure this? Which version?</P> <P>Can you provide the configuration output (screenshot and running config).</P> Fri, 16 Apr 2021 13:18:20 GMT https://community.cisco.com/t5/network-security/flexconfig-not-working/m-p/4388375#M1080075 Rob Ingram 2021-04-16T13:18:20Z https://community.cisco.com/t5/network-security/flexconfig-not-working/m-p/4388379#M1080076 <P>Hi thanks for your response.</P><P>FMC and FTD version is 6.6.1</P><P>&nbsp;</P><P>we configured below objects<BR />standard ACL = 10.10.10./24<BR />Route-map = sequence number 10 and standard ACL called here and next-hop 123.123.123.123(ISP2 Gateway) is specified.<BR />flex-object = ISP2GW - 123.123.123.123</P><P>&nbsp;</P><P>Flexconfig configuration<BR />route-map $route-map-name permit 10<BR />set ip next-hop $ISP2GW</P><P>&nbsp;</P><P>interface Port-channel10<BR />policy-route route-map $route-map-name</P><P>&nbsp;</P><P>when i did the packet-tracer for souce 10.10.10.10 and destination 8.8.8.8 is showing ISP1 is the next-hop.</P><P>&nbsp;</P> Fri, 16 Apr 2021 13:24:58 GMT https://community.cisco.com/t5/network-security/flexconfig-not-working/m-p/4388379#M1080076 Vishnu_RR 2021-04-16T13:24:58Z https://community.cisco.com/t5/network-security/flexconfig-not-working/m-p/4388393#M1080077 <P>Please provide the output of:</P> <P>&nbsp;</P> <P>show run int Po10<BR />show run route-map<BR />show run access-list<BR />show policy-route</P> <P>show route</P> <P>&nbsp;</P> <P>Po10 is the inside interface right?</P> Fri, 16 Apr 2021 13:39:11 GMT https://community.cisco.com/t5/network-security/flexconfig-not-working/m-p/4388393#M1080077 Rob Ingram 2021-04-16T13:39:11Z https://community.cisco.com/t5/network-security/flexconfig-not-working/m-p/4388422#M1080078 Yes Po10 is the inside interface<BR /> Fri, 16 Apr 2021 14:31:08 GMT https://community.cisco.com/t5/network-security/flexconfig-not-working/m-p/4388422#M1080078 Vishnu_RR 2021-04-16T14:31:08Z https://community.cisco.com/t5/network-security/flexconfig-not-working/m-p/4389145#M1080109 <P>Hi,</P><P>i got the solution.</P><P>anyway the default route to ISP1 will take all routes from routing table. so below configuration is planned and working now.</P><P>create extended ACL for specific subnet 10.10.10.0/24 which you want to redirect into ISP2 (standard ACL not support for Flex config suggested from Cisco TAC)</P><P>create route-map and add the extended ACL also specify the next-hop 123.123.123.123 as Firewall ISP2 gateway.</P><P>&nbsp;</P><P>Create flexconfig</P><P>interface Port-channel10<BR />policy-route route-map&nbsp;<STRONG>insert route-map object</STRONG></P><P>&nbsp;</P><P>then deploy the flex config.</P> Mon, 19 Apr 2021 05:13:51 GMT https://community.cisco.com/t5/network-security/flexconfig-not-working/m-p/4389145#M1080109 Vishnu_RR 2021-04-19T05:13:51Z