Best IP to track for SLA on Firewalls if Destination does not return pings

CiscoBrownBelt · ‎07-25-2018

So if I have a destination that a FW must reach that that does not return pings (goes from FW to ISP router through internet to Destination) what is best ip to track in SLA configs. I know some may use 8.8.8.8 but any better ideas? The ISP router assisns the FW a DHCP address so I should see the ISP addy by show arp correct? I don't want to use the ISP router IP because connection along path to destination could go down but ISP router IP is still pingable and therefore traffic would not failover to standby FW which goes to another ISP router.

Any ideas?

What if you only have one FW but 2 ISP routers. Would configuring redundant interfaces on FW (one to ISP1 and other 2 ISP2) be a good option for redundancy?

johnlloyd_13 · ‎07-25-2018

hi,

your description of the problem is a bit vague.could you post a brief diagram of your setup?

do you have 2x internet edge routers going to different ISPs?

CiscoBrownBelt · ‎07-27-2018

It is pretty basic. See attachment.

Basically the end host to reach has pings turned off, I know I can track the interface of the ISP router but is it better to track something else reachable on the internet like 8.8.8.8 instead of tracking let's say the ISP inside (int to the switch)?

balaji.bandi · ‎07-27-2018

Your diagram show only 1 connection.

Yes if you have 2 ISP and you want to resilience for connection, you can use SLA to track

if the link 1 fails, move to 2nd link...and once link 1 come back either you can also configure to preempt

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

CiscoBrownBelt · ‎07-27-2018

Ok so is it best to track the inside link instead of configuring to track a ping of an IP on the internet such as 8.8.8.8?