Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1255
Views
0
Helpful
5
Replies

Flexconfig not working

Vishnu_RR
Level 1
Level 1

‎04-16-2021 05:14 AM

Hi,

we have ISP1 and ISP2. There is metric 1 for ISP1 and metric 2 for ISP2. both ISP are in separate zone. when i create flexconfig for specific souce with ISP2 which is not working and still hitting ISP1 only.\

 

i have configured below flexconfig.

1. standard access-list = 10.10.10.0/24

2. route-map

3. flexconfig

route-map $Route-Map permit 10

set ip next-hop $ISP2_GW

 

interface Port-channel2
policy-route route-map $Route-Map

 

do i need to do any more changes

When i do the packet-tracer shows 10.10.10.0/24 is hitting ISP1 only.

0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎04-16-2021 06:18 AM

@Vishnu_RR 

Are you using FMC or FDM to configure this? Which version?

Can you provide the configuration output (screenshot and running config).

0 Helpful

Vishnu_RR
Level 1
Level 1

‎04-16-2021 06:24 AM

Hi thanks for your response.

FMC and FTD version is 6.6.1

 

we configured below objects
standard ACL = 10.10.10./24
Route-map = sequence number 10 and standard ACL called here and next-hop 123.123.123.123(ISP2 Gateway) is specified.
flex-object = ISP2GW - 123.123.123.123

 

Flexconfig configuration
route-map $route-map-name permit 10
set ip next-hop $ISP2GW

 

interface Port-channel10
policy-route route-map $route-map-name

 

when i did the packet-tracer for souce 10.10.10.10 and destination 8.8.8.8 is showing ISP1 is the next-hop.

 

0 Helpful

Rob Ingram
VIP
VIP
In response to Vishnu_RR

‎04-16-2021 06:39 AM

Please provide the output of:

 

show run int Po10
show run route-map
show run access-list
show policy-route

show route

 

Po10 is the inside interface right?

0 Helpful

Vishnu_RR
Level 1
Level 1
In response to Rob Ingram

‎04-16-2021 07:31 AM

Yes Po10 is the inside interface
0 Helpful

Vishnu_RR
Level 1
Level 1

‎04-18-2021 10:13 PM

Hi,

i got the solution.

anyway the default route to ISP1 will take all routes from routing table. so below configuration is planned and working now.

create extended ACL for specific subnet 10.10.10.0/24 which you want to redirect into ISP2 (standard ACL not support for Flex config suggested from Cisco TAC)

create route-map and add the extended ACL also specify the next-hop 123.123.123.123 as Firewall ISP2 gateway.

 

Create flexconfig

interface Port-channel10
policy-route route-map insert route-map object

 

then deploy the flex config.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card