Hello Everyone , We are running FMC/FTD (4110) v6.2 , is it possible to create a PBR policy with IP SLA for Active/Active dual ISP scenario ? So far i am able to configure PBR with next hop but dont see any option to tie in IP sla with route map ?
First step is to configure IP SLA tracking for the desired host. This will ensure R1 router will continuously monitor the Linux proxy and stop redirecting http traffic to it in the event it fails:
The above configuration defines and starts an IP SLA probe on router R1.
The ICMP Echo probe sends an ICMP Echo (ping) packet to IP 192.168.150.2 every 4 seconds, as defined by the frequency parameter.
Timeout sets the amount of time (in milliseconds) the Cisco IOS IP SLAs operation waits for a response from its request packet. This has been set to 2000 milliseconds, or 2 seconds which gives the host ample time to respond.
Threshold sets the rising threshold that generates a reaction event and stores history information for the Cisco IOS IP SLAs operation.
After defining the IP SLA operation, our next step is to define an object that tracks the SLA probe. This can be accomplished by using the IOS Track Object as shown below:
The above command will track the state of the IP SLA operation. If there are no ping responses from the monitored IP address (192.168.150.2), the track will go down and it will come back up when the IP SLA operation starts receiving ping responses once again.
To verify the track status, use the “show track” command as shown below:
R1# show track 1
IP SLA 1 reachability
Reachability is Up
30 changes, last change 1d08h
Latest operation return code: OK
Latest RTT (millisecs) 1
The command output verifies that the tracked object is UP and has a response time of 1ms. A closer look shows that ,for the duration of the tracking, the state has changed 30 times and the last change was 1 day and 8 hours ago. This information is extremely important should it be necessary to troubleshoot intermittent problems that might be reported by the users.
The show route-map command is a favourite as it combines enough information to help verify everything is working as it should:
The numbers shown here verify immediately that our host is reachable (up) and that R1 has redirected more than 510MB of traffic through the Linux proxy!
The show IP SLA statistics command provides in a similar way useful information that helps verify the object tracking is working correctly and the tracked host is up:
I am searching for this, But i am not able to find this for firewalls, I will certainly give you some links which may help you to dig in.
If that helps!
Active/Standby Dual ISP:
You can achieve that by creating an SLA Monitor Object and linking it with a static route.
Open the device from Device Management under "Devices"
Navigate to Routing > Add Static Route Configuration >
Fill in your route details.
The last option "Route Tracking" will help you add a "SLA Monitor Object".
Complete the SLA Monitor Object configuration and attach it with the route and you are good to go.
You can also create and modify your SLA Monitors under "Objects"
Active/Active Dual ISP:
This requires creating a policy based route which is not directly supported by FMC and hence need to be acheived through FlexConfig.
Yes, in version 6.2 is possible to do that with FlexConfig.
Here is a video that explain step to step the way to get it: