Hi All

We have a router that is connected to 2 firewalls, these 2 firewall have access to the internet via 2 different service providers, from time to time one of these links go down, which triggers a manaul proccess of routing specific destination over the other link. The solution i ha va come up with is as follows:

The IP Sla below will check if it can send and recieve an icmp request to a destination

ip sla monitor 1

type echo protocol ipIcmpEcho 196.xxx.xxx.xxx source-ipaddr xxx.xxx.xxx.xxx

timeout 3000

frequency 30

hours-of-statistics-kept 1

ip sla monitor reaction-configuration 1 react timeout threshold-type immediate action-type trapOnly

ip sla monitor schedule 1 life forever start-time now

I then track this ip sla

track 1 rtr 1 reachability

If the icmp does not reply follow a less reliable route until the primary route comes back up then it will follow the more reliable route

ip route 196.xxx.xxx.xxxx 255.255.255.255 10.xxx.xxx.xxx 5 name RouteCellSysFtp(backuproute)

More reliable route

ip route 196.xxx.xxx.xxx 255.255.255.255 10.xxx.xxx.xx name RouteCellSysFtp(primaryroute) track 1

Questions for the above:

My concern about the above is that there might be a flap and thr route will jump between backup route and primary route.

How do I tell the ip sla to to experience 3 failures before using the back up route?

To confirm the operation above so that I understand it correctly:

When the icmp fails, the router will use the backup route, while its using the back up route, the router keeps trying to send an icmp via primary route till it come back up, when it comes back up it fails back over to the primary route, is this the correct understanding?

The second ip sla

This service providers is a bit more strict about what they allow, we could not use and icmp echo request for this one, instead they asked to check if we can make an ftp connetion, the below will try and make a connection to the destination via port 21, if it cant make a connection(i know this is not a true test as there might be a problem with the server, but they have arrused us that there is secondary server that will take over should the primary fail) then we must failover like to a less reliable route.

ip sla monitor 2

type tcpConnect dest-ipaddr 196.xxx.xxx.xxx dest-port 21 source-ipaddr 10.xxx.xxx.xxx control disable

timeout 10000

frequency 300

hours-of-statistics-kept 1

ip sla monitor reaction-configuration 2 react connectionLoss threshold-type immediate action-type trapOnly

ip sla monitor schedule 2 life forever start-time now

I then track this ip sla

track 2 rtr 2 state

If the icmp does not reply follow a less reliable route until the primary route comes back up then it will follow the more reliable route

ip route 196.xxx.xxx.xxx 255.255.255.255 10.xxx.xxx.xxx 5 name RouteItouchFtp(backuproute)

More reliable route

ip route 196.xxx.xxx.xxx 255.255.255.255 10.xxx.xxx.xxx name RouteItouchFtp(primaryroute) track 2

Questions for the above:

My concern about the above is that there might be a flap and the route will jump between backup route and primary route.

How do I tell the ip sla to to experience 3 failures before using the back up route?

To confirm the operation above so that I understand it correctly:

When the "ftp" connection fails, the router will use the backup route, while its using the back up route, the router keeps trying to make a "ftp" via primary route till it come back up, when it comes back up it fails back over to the primary route, is this the correct understanding?

I would like to send some kind of notification on  when the router failovers to the back up route and when the router failover back to the primary route, with snmp trap which will get send to our NMS and notify us, if there is another way of notifications to be sent I would be keen to hear im sure one could do an snmp query.

Thanks in advance for any feedback or suggestions on how I can tune the above.