Hello @fmugambi 

To go further, from the setup you've outlined, your connectivity issue may arise from asymmetric routing or insufficient path control between the two ISPs. Since you have a BGP session with each ISP and are advertising a /24 network, some additional path manipulation may be necessary to ensure the stability and reachability of the /29 subnet on your FTD interface.

When both BGP neighbors are active, the weight attribute alone primarily influences outbound traffic from your network, directing it through one ISP as preferred. However, inbound traffic depends on the path selection by each ISP and their route preferences. If inbound traffic from users on the internet attempts to reach the /29 FTD IP but is routed inconsistently due to ISP preferences, this can cause asymmetric routing, where return traffic follows a different path than expected. This asymmetry can disrupt the connection, especially if session state tracking is required (as is typical in firewalls).

To address these routing inconsistencies, you may consider setting up additional BGP attributes:

- Local Preference is used within your AS to prefer one ISP over another for outbound traffic. By configuring local preference, you can ensure that specific traffic prefers a particular BGP path for outgoing connections. However, keep in mind that local preference alone doesn’t influence inbound traffic.

- AS Path Prepending is helpful for inbound traffic control. By adding extra instances of your AS number to the AS path when advertising to one ISP, you make that path appear longer and less attractive. This can effectively push inbound traffic toward the ISP without the AS path prepending, allowing you to guide incoming connections based on your preferences. For instance, if you want ISP 1 to be the preferred inbound path, you can prepend your AS number on routes advertised to ISP 2, making ISP 1 appear more favorable to external traffic.

To further stabilize reachability for the IP address within the /29 subnet on the FTD interface, consider advertising the /29 prefix directly to both ISPs. BGP will generally prefer more specific routes over aggregate routes, so by advertising the /29 prefix, you ensure that this traffic is routed more predictably. This approach allows for finer control over traffic destined for this specific subnet, reducing the risk of traffic interruptions due to path changes at the /24 level.

To accomplish the desired routing behavior, you could configure the following:

Fisrt, advertise the full /24 network to both ISPs to maintain overall internet reachability.
Next, advertise the /29 subnet separately to each ISP. Apply AS path prepending on one of the ISP connections to bias incoming traffic toward the other ISP.
Use local preference within your AS to influence outbound traffic paths if certain ISP paths are preferred for outgoing traffic.

This should help you to manage both outbound and inbound traffic more effectively, improving stability and reachability to the /29 network on the FTD, and helping mitigate asymmetric routing issues...

For Outbound weight is OK

For Inbound If as-prepend not work (you still have see asymmetric) mostly because ISP remove private AS.

then try advertise/24 in one path and /23 in other path' this make user have two prefix and use longest to forward traffic' if /24 path down the user will use then /23 to forward traffic.

MHM