That's what I thought until I tested it.  When I changed the firewall and pointed the gateway to the interface IP instead of the HSRP IP, it still routed Internet traffic through our primary connection.  I know this because my traceroute showed the IP address of the interface that's connected to our ISP.  Am I missing something?

Terrence

I think it would help our discussion if we had some specifics to work with. If you can give us the actual addresses that would be nice and if you need to protect the actual addresses then just translate your real addresses into the corresponding private address (10.0.0.0 or 172.16.0.0 or 192.168.0.0). Please tell us the address of the firewall, the interface address of the primary router, the interface address of the standby router, and the virtual address of HSRP. Then tell us how you pointed the firewall and to which address.

Perhaps if we see that information we might have an explanation.

HTH

Rick

[edit] It would also be helpful if you would give us a brief description of how the ASR routers connect to the ISP and to the Internet.

Sure I can do that but I have a meeting to go to in 5 minutes. I'll provide that info in a little while.  Thanks again!

Rick,

Here is some IP configurations for the devices of interest (I've changed the IPs to hide the real IP addresses):

ASR1001 - Primary Internet:

interface GigabitEthernet0/0/0

description *** INTERNET ***

ip address 192.100.72.230 255.255.255.252

negotiation auto

interface GigabitEthernet0/0/1

ip address 192.100.74.253 255.255.255.0

standby 1 preempt

standby 2 ip 192.100.74.1

standby 2 preempt delay minimum 60

speed 1000

no negotiation auto

ASR1001 - Backup Internet:

interface GigabitEthernet0/0/0

description *** INTERNET ***

ip address 192.100.73.10 255.255.255.252

negotiation auto

!

interface GigabitEthernet0/0/1

ip address 192.100.74.254 255.255.255.0

standby 1 preempt

standby 2 ip 192.100.74.1

standby 2 preempt delay minimum 60

speed 1000

no negotiation auto

Firewall:

IP Address - 192.100.74.108

Mask - 255.255.255.0

Gateway - 192.100.74.1

If I point the gateway address of the firewall to the secondary router (192.100.74.254), traffic behind this firewall destined for the Internet should go through the backup Internet connection.  I tested and had someone else test but traceroutes show that it still hits the primary router (192.100.74.253) and I think it's due to HSRP.

It is not the cause of your problem but your HSRP config is a bit messy. First of all the standby should all match, you have a mixture of 1 and 2 in the statements above. All of the numbers should be the same.

Also, you have not specified which HSRP router should be the master and slave using priority values. With this config they will both inherit the default priority. The device with the highest IP address will become master. Do a "show standby" on one of the routers to verify.

Also, whichever device becomes HSRP master in this scenario will always be master as long as the G0/0/1 interface is up because you are not tracking anything.

With regard to your problem - can you provide a traceroute from your firewall and the output of "show arp" (or equivalent)?

My apologies but I'm not sure how I forgot to include the HSRP priority.  It is in my config but I somehow didn't include it when I copied things over.  Anyway, the primary router has a priority of 105.  Since this is a network I inherited, I'm not sure why the HSRP group numbers aren't the same.  I'll have to look into that a little later and try to find/figure out why it was configured that way. 

Here is part of the traceroute:

C:\>tracert -d google.com

Tracing route to google.com [74.125.140.139]

over a maximum of 30 hops:

  1     1 ms     1 ms    <1 ms  192.168.60.1 <---Inside Firewall IP

  2     2 ms     1 ms     1 ms  192.100.74.108 <---Public side of Firewall

  3     2 ms     1 ms     1 ms  192.100.74.253

<---Output Cut--->

Can you provide a traceroute from your firewall and the output of "show ip route" and "show arp" (or equivalent)?

Can you also provide a "show standby" from one of the routers please?

Bear in mind what I said about your HSRP setup - at the moment it will not work if the WAN link goes down on the master.

The firewall is a Barracuda NG FW so I can tell you that the only networks that are going to show up are the default route and the inside network (192.168.60.x/23).  This is a separate network from our corporate network.  Here is the show standby from the primary ASR:

router#sh standby

GigabitEthernet0/0/1 - Group 2

  State is Active

    2 state changes, last state change 23w5d

  Virtual IP address is 192.100.74.1

  Active virtual MAC address is 0000.0c07.ac02

    Local virtual MAC address is 0000.0c07.ac02 (v1 default)

  Hello time 3 sec, hold time 10 sec

    Next hello sent in 0.656 secs

  Preemption enabled, delay min 60 secs

  Active router is local

  Standby router is 192.100.74.254, priority 100 (expires in 9.360 sec)

  Priority 105 (configured 105)

  Group name is "hsrp-Gi0/0/1-2" (default)

The HSRP IP of 192.100.74.1 is what's showing in the ARP table of this firewall.  I don't want to provide a screenshot of the table because it reveals our actual IPs and I have to keep that info private.  However, I do not see the 192.100.74.254 address in the arp cache of the firewall.

"However, I do not see the 192.100.74.254 address in the arp cache of the firewall."

Well that does not sound good - what about if you ping 192.100.74.254 from the firewall and then view the arp cache. Do you see it then?

That's what I've been trying to do but I don't see where in the Barracuda NG FW I can ping/traceroute.  It's kind of weird and this is one reason why I don't like the Barracuda FW.  I'll see if I can find a way to ping and then will reply again with the results.

Ok, I was able to access the CLI of the firewall and run a ping to 192.100.74.254 and got replies.  I also checked the arp cache and it shows up there.

Can you do a "route print" from the command line while you are there?

I was just reading up on the Barracuda and you can run a tcpdump on the interface which might be useful.

Here is the route print from the firewall

route --verbose

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

192.168.6.0     192.168.60.38   255.255.255.0   UG    0      0        0 port3

192.100.74.0     *               255.255.255.0   U     0      0        0 port4

127.0.1.0       *               255.255.255.0   U     0      0        0 tap0

127.0.3.0       *               255.255.255.0   U     0      0        0 tap2

127.0.2.0       *               255.255.255.0   U     0      0        0 tap1

192.168.60.0    *               255.255.254.0   U     0      0        0 port3

If I can't get traffic behind the firewall to go out through the second connection, then perhaps I'll look into doing GLBP and just load balance the traffic between the two ASRs