topic Re: FTD Dual ISP Loadbalancing in Network Security

FTD Dual ISP Loadbalancing

Piyush_Sharma — Fri, 21 Feb 2020 16:00:33 GMT

Hi,

Please suggest any way to Dual ISP load-balancing on Cisco FTD running Version 6.2.3.3.

Re: FTD Dual ISP Loadbalancing

Maxim Kraev — Mon, 12 Nov 2018 04:53:35 GMT

I use PBR via FlexConfig. But in this scenario i don't have sla for auto change channel when one of it is down.

Re: FTD Dual ISP Loadbalancing

Abheesh Kumar — Mon, 12 Nov 2018 06:29:20 GMT

Hi,

You can configure Policy Based Routing in FTD with IP SLA. You can Load-balance the traffic as per the accesslist you mentioned in the route-map. With the help of tracking the availability of next hop you can achieve auto switch traffic when one interface is down. With the help of Flex config you do the configuration of PBR, below video link will help you to configure PBR in FTD with IP SLA.

https://www.youtube.com/watch?v=MKcSBTJ55e8

HTH

Abheesh

Re: FTD Dual ISP Loadbalancing

Marvin Rhoads — Mon, 12 Nov 2018 07:30:06 GMT

You cannot.

It has the same basic capabilities in this regard as an ASA. There's the ability to failover plus some rudimentary policy based routing. Neither equates to what one would call ISP load balancing though.

Re: FTD Dual ISP Loadbalancing

Maxim Kraev — Mon, 12 Nov 2018 22:26:30 GMT

Thanks! Good manual!

But when i assign tracks to default routes i have error -

"More than one interface defined

SLA Monitor requires only one interface for route tracking
More than one interface defined for SLA Monitor which is referred by Static Route
Please select only one interface for SLA Monitor referred by Static Route"

Why in this video all good?

Re: FTD Dual ISP Loadbalancing

Maxim Kraev — Wed, 14 Nov 2018 04:42:32 GMT

I found the problem. I have mistakes in security zones. So i have two interface in one security zones. Because of this tracking didn't assigning. Now all works! Thanks!

Re: FTD Dual ISP Loadbalancing

Abheesh Kumar — Wed, 14 Nov 2018 10:54:17 GMT

Good to here that...

Re: FTD Dual ISP Loadbalancing

SIMMN — Fri, 03 Jan 2020 18:42:31 GMT

I know it is an old post but I agree, for one, you can not simply load balance NAT translations. But failover.

Re: FTD Dual ISP Loadbalancing

HaniAbuelkhair6735 — Mon, 18 Jan 2021 19:25:38 GMT

Hi @Maxim Kraev

Did you managed dual ISP failover between 2 WAN links using FTD and managing the box using FMD manageled via the web ?

Re: FTD Dual ISP Loadbalancing

Herald Sison — Mon, 30 May 2022 16:24:09 GMT

Hi Sir,

how did you actually make it work? I have tried on my FTD 7.0.1.1 and FMC7.0.1.1 but still the traffic still goes to the ISP1 and no traffic is going in to the ISP2. However my failover works well when i shutdown ISP1 all traffic goes to ISP2.

can i ask a step by step process on this one? I tried watching the youtube video provided but i can barely understand what he is saying and the video is a bit blurry to watch.

thank you in advance sir more power

Re: FTD Dual ISP Loadbalancing

Herald Sison — Mon, 30 May 2022 16:29:03 GMT

I agree because technically there is no load balancing happening within the config and the system, what really happened is you just divide manually the traffic of your inside lan to 2 outside interfaces. I really dont know why cisco cannot develop a system that can ratio the inside traffic to pass to your multiple outside interface automatically. In my experience with sonicwall NSA firewalls, they are capable of doing such ratio balancing depends on the percentage you assign to either outside interface and it works well but the downside of NSA's are they are too buggy sometimes.

Re: FTD Dual ISP Loadbalancing

Marvin Rhoads — Mon, 30 May 2022 18:13:59 GMT

Cisco has made a tactical decision not to pursue that feature set with their firewalls. They would prefer to sell you a Viptela or other SD-WAN solution to address that need (and increase revenue).

Right or wrong, that's how they do it and their profits and stock dividends tell them the market is rewarding that decision.

Re: FTD Dual ISP Loadbalancing

Herald Sison — Tue, 31 May 2022 09:14:38 GMT

Thanks sir, is there a detailed document that can help me with this setup? i have tried watching the video link posted above but unfortunately the video is a bit blurry and i barely can understand his words and also he did not setup up everything from scratch that is why i am a bit confused,

Thanks in advance

UPDATE: i made it work just fine!

Re: FTD Dual ISP Loadbalancing

Herald Sison — Wed, 01 Jun 2022 05:51:32 GMT

Hi Sir,

i have configured PBR via flex config and it works now. i have divided the traffic in to 2 and it was successful however only 1 traffic can connect to the site to site vpn and the other one cannot.

i already added 2 vpn configurations for each traffic but still only one is going through? is there anything that i need to tweak to make the 2 traffic connected to the site to site vpn?

Re: FTD Dual ISP Loadbalancing

Marvin Rhoads — Wed, 01 Jun 2022 12:33:41 GMT

When traffic is being sent over a site-to-site VPN, it does so based on the first match to the crypto map ACLs in that section of the configuration. So it will not load balance that subset of your traffic.

Re: FTD Dual ISP Loadbalancing

Herald Sison — Thu, 02 Jun 2022 16:33:47 GMT

Is there a remedy for this one sir? I have tried configuring 2 site to site vpn for each outisde interfaces but still only 1 interface gets connected. The weird thing is that ASA from the other peer of the S2S VPN can ping all subnets of the FTD but on the FTD only 1 interace can ping thr ASA and the other interface got an RTO.

Re: FTD Dual ISP Loadbalancing

Jack G — Thu, 31 Aug 2023 15:19:00 GMT

So, if one has two default routes (one for each ISP) with the same Metric field value of 1, the firewall won't attempt to load balance at all? I'm not sure how the firewall determines which default route to use if both are 1.

Re: FTD Dual ISP Loadbalancing

Marvin Rhoads — Thu, 31 Aug 2023 15:40:39 GMT

If you have provider-independent network and two ISP routers you can have two equal cost default routes on a given interface. In that case, your FTD will dynamically hash traffic based on source and destination address and port to balance it across the two routes. (The method is not configurable.)

ECMP is also now supported and you can read more about that feature in the configuration guides.

Re: FTD Dual ISP Loadbalancing

Jack G — Thu, 31 Aug 2023 16:02:31 GMT

Yes, ECMP and path monitoring does appear to be the way to go. Wondering what's left before an FTD can be considered "SD-WAN" 🙂

Re: FTD Dual ISP Loadbalancing

Marvin Rhoads — Thu, 31 Aug 2023 16:18:52 GMT

Stay tuned for release 7.4 which adds some more advanced path monitoring features.

7.2 already added a bunch:

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/routing-policy-based.html