07-24-2018 10:51 AM - edited 02-21-2020 08:00 AM
Hi,
Please suggest any way to Dual ISP load-balancing on Cisco FTD running Version 6.2.3.3.
11-11-2018 08:53 PM
I use PBR via FlexConfig. But in this scenario i don't have sla for auto change channel when one of it is down.
11-11-2018 10:28 PM - edited 11-11-2018 10:29 PM
Hi,
You can configure Policy Based Routing in FTD with IP SLA. You can Load-balance the traffic as per the accesslist you mentioned in the route-map. With the help of tracking the availability of next hop you can achieve auto switch traffic when one interface is down. With the help of Flex config you do the configuration of PBR, below video link will help you to configure PBR in FTD with IP SLA.
https://www.youtube.com/watch?v=MKcSBTJ55e8
HTH
Abheesh
11-12-2018 02:26 PM
Thanks! Good manual!
But when i assign tracks to default routes i have error -
"More than one interface defined
SLA Monitor requires only one interface for route tracking
More than one interface defined for SLA Monitor which is referred by Static Route
Please select only one interface for SLA Monitor referred by Static Route"
Why in this video all good?
11-13-2018 08:42 PM
I found the problem. I have mistakes in security zones. So i have two interface in one security zones. Because of this tracking didn't assigning. Now all works! Thanks!
11-14-2018 02:54 AM
01-18-2021 11:25 AM - edited 01-18-2021 11:25 AM
Hi @Maxim Kraev
Did you managed dual ISP failover between 2 WAN links using FTD and managing the box using FMD manageled via the web ?
05-30-2022 09:24 AM
Hi Sir,
how did you actually make it work? I have tried on my FTD 7.0.1.1 and FMC7.0.1.1 but still the traffic still goes to the ISP1 and no traffic is going in to the ISP2. However my failover works well when i shutdown ISP1 all traffic goes to ISP2.
can i ask a step by step process on this one? I tried watching the youtube video provided but i can barely understand what he is saying and the video is a bit blurry to watch.
thank you in advance sir more power
11-11-2018 11:30 PM
You cannot.
It has the same basic capabilities in this regard as an ASA. There's the ability to failover plus some rudimentary policy based routing. Neither equates to what one would call ISP load balancing though.
01-03-2020 10:42 AM - edited 01-03-2020 10:42 AM
I know it is an old post but I agree, for one, you can not simply load balance NAT translations. But failover.
05-30-2022 09:29 AM
I agree because technically there is no load balancing happening within the config and the system, what really happened is you just divide manually the traffic of your inside lan to 2 outside interfaces. I really dont know why cisco cannot develop a system that can ratio the inside traffic to pass to your multiple outside interface automatically. In my experience with sonicwall NSA firewalls, they are capable of doing such ratio balancing depends on the percentage you assign to either outside interface and it works well but the downside of NSA's are they are too buggy sometimes.
05-30-2022 11:13 AM
Cisco has made a tactical decision not to pursue that feature set with their firewalls. They would prefer to sell you a Viptela or other SD-WAN solution to address that need (and increase revenue).
Right or wrong, that's how they do it and their profits and stock dividends tell them the market is rewarding that decision.
05-30-2022 07:25 PM - edited 05-31-2022 02:14 AM
Thanks sir, is there a detailed document that can help me with this setup? i have tried watching the video link posted above but unfortunately the video is a bit blurry and i barely can understand his words and also he did not setup up everything from scratch that is why i am a bit confused,
Thanks in advance
UPDATE: i made it work just fine!
05-31-2022 10:51 PM
Hi Sir,
i have configured PBR via flex config and it works now. i have divided the traffic in to 2 and it was successful however only 1 traffic can connect to the site to site vpn and the other one cannot.
i already added 2 vpn configurations for each traffic but still only one is going through? is there anything that i need to tweak to make the 2 traffic connected to the site to site vpn?
06-01-2022 05:33 AM
When traffic is being sent over a site-to-site VPN, it does so based on the first match to the crypto map ACLs in that section of the configuration. So it will not load balance that subset of your traffic.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide