thanks for the comments

do you think it is even possible to do internet failover between two locations?

If I understand the original post correctly there is a dedicated link between the sites. With a dedicated link between sites it should be possible to do Internet failover between the sites. To accomplish failover you would take these steps:

- each site establishes a default route to reach the Internet. We do not know at this point whether that would be a static default route or whether there might be a dynamic routing protocol between the site and its provider.

- each site would establish a process to monitor its local default route. If the local default route is a static route the process would probably involve tracking with IP SLA. If there is a dynamic routing protocol then the protocol would monitor the default route and would withdraw the learned default route if there were a problem reaching its ISP.

- each site would configure a routing protocol running over the dedicated link.

- each site would use the routing protocol on the dedicated link and if the local default route is valid it would advertise its default route to the other site using an Administrative Distance or a routing metric which makes the default route learned from the routing protocol less attractive than the local default route.

So what you would wind up with is in normal operation each site would have its own preferred default route to its ISP and would have a default route learned by the site to site routing protocol as a backup. If the local default route is withdrawn then the site would begin using the default route learned from the other site. 

We do not know what you are doing for address translation. But I believe that you would need to configure the router connected to each ISP to translate the addresses of both sites in the case of a failover.

HTH

Rick

I will do nat on firewall and the switch below firewall will be backbone switch which i guess that I need to setup ip sla to monitor default route.

one thing I am not sure is if I do ip sla on backbone switch, default route will be firewall.

even if internet goes down, I won't be able to detect by monitoring firewall.

is it possible to monitor public internet from back bone switch to detect if internet goes down?

Thanks for you input.

There are some things about your network that we do not know and which might affect the advice that we would give. Do the firewalls learn a default route from the ISPs dynamically and based on what they have learned from ISP advertise a default route into your network? Or do the firewalls just advertise a configured default route? Or is the default route configured on the backbone switch and just uses firewall as next hop?

When you configure IP SLA you can specify what address you want to monitor. Many people set it up to monitor the next hop address. But it is quite possible for you to monitor some address in the ISP. You need to be sure that the address that you are tracking is reached through the local ISP. You do not want the monitor to report the address is successfully reachable - but is reached via the failover route. The usual solution is a static route for an address that specifies both an exit interface (the interface used to get to the firewall) and specifies a next hop (the address of the firewall).

Address translation on the firewall is fine. My point was that the address translation needs to work with source addresses from the lans on both sites.

HTH

Rick