10-11-2023 02:14 AM
Hi Everyone,
I have 4 ISP's connected to my FTD 7.0.5 device ASA5508X with FMC 7.3.0.
Now i have configured the 3 ISP's to route for our internal network and created a flexconfig for it then the other 1 ISP has been routed to my DMZ network and created a separate flexconfig for it.
So technically 2 separate Flexconfig has been added in the Selected Append FlexConfigs and after deploying it we experienced a downtime for the whole internal network. So i am thinking if creating 2 separate flexconfigs may cause this problem and is it possible to add the 2 flexconfig into 1 flexconfig file. is it possible or it still the same?
Here is the 2 flexconfig below that is consolidated in to 1. I dont know if this works or not since i have not deployed it yet.
route-map $RM permit 10
set ip next-hop verify-availability $INTERNET2_GW 1 track 5
set ip next-hop verify-availability $INTERNET1A_GW-US 2 track 6
set ip next-hop verify-availability $INTERNET1B_GW-ASIA 3 track 7
route-map $RM permit 30
set ip next-hop verify-availability $INFINIVAN1A_GW-US 1 track 6
set ip next-hop verify-availability $INFINIVAN1B_GW-ASIA 2 track 7
set ip next-hop verify-availability $INTERNET2_GW 3 track 5
route-map $RM permit 33
set ip next-hop verify-availability $INTERNET1B_GW-ASIA 1 track 7
set ip next-hop verify-availability $INTERNET2_GW 2 track 5
set ip next-hop verify-availability $INTERNET1A_GW-US 3 track 6
interface GigabitEthernet1/3
policy-route route-map $RM
route-map $DMZ-RM permit 250
set ip next-hop verify-availability $DMZ-WAN 1 track 8
interface GigabitEthernet1/5
policy-route route-map $DMZ-RM
Solved! Go to Solution.
11-16-2023 04:24 AM
In your setup, consolidating the two FlexConfigs into one should not cause any issues. Your combined FlexConfig looks correct as it's written, and having them in one FlexConfig should make the configuration cleaner and easier to manage.
The downtime you experienced might have been caused by other factors. The process of deploying a FlexConfig should not cause any downtime, as it should only reconfigure the device without interrupting the existing sessions. However, some changes like changing the routing can cause temporary disruption until the routing table is updated across all devices.
Before you deploy the new FlexConfig, I would recommend you to:
Review your routing setup: Make sure that your route-maps are correctly configured and there are no conflicts between them.
Check your tracking setup: Ensure that the tracks are correctly setup and are associated with the right interface or IP SLA.
Monitor the network: Use network monitoring tools to watch the network performance during the deployment. If any issues occur, you can identify them quickly.
Backup: Always backup your current configuration before making any changes. This way you can easily revert back to the previous state if something goes wrong.
Lastly, if you have Cisco support, it could be useful to reach out to them for more specific advice tailored to your network setup.
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.
You can also learn more about Secure Firewall (formerly known as NGFW) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
11-16-2023 04:24 AM
In your setup, consolidating the two FlexConfigs into one should not cause any issues. Your combined FlexConfig looks correct as it's written, and having them in one FlexConfig should make the configuration cleaner and easier to manage.
The downtime you experienced might have been caused by other factors. The process of deploying a FlexConfig should not cause any downtime, as it should only reconfigure the device without interrupting the existing sessions. However, some changes like changing the routing can cause temporary disruption until the routing table is updated across all devices.
Before you deploy the new FlexConfig, I would recommend you to:
Review your routing setup: Make sure that your route-maps are correctly configured and there are no conflicts between them.
Check your tracking setup: Ensure that the tracks are correctly setup and are associated with the right interface or IP SLA.
Monitor the network: Use network monitoring tools to watch the network performance during the deployment. If any issues occur, you can identify them quickly.
Backup: Always backup your current configuration before making any changes. This way you can easily revert back to the previous state if something goes wrong.
Lastly, if you have Cisco support, it could be useful to reach out to them for more specific advice tailored to your network setup.
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.
You can also learn more about Secure Firewall (formerly known as NGFW) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
11-16-2023 04:34 AM
that correct what you need is
first match traffic under route-map
do you track 8.8.8.8 ? what is the interface you use for each track ?
11-16-2023 09:46 PM
This has been addressed, you are right we had a different issue occured that is why traffic has been disrupted. Thank you
11-16-2023 11:01 PM
can I know what was the problem here ?
11-17-2023 01:04 AM
Hi Sir, we were hitting a bug that was not related to PBR. We have already applied the workaround and it is now running smoothly.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide