02-08-2014 12:31 AM - edited 03-04-2019 10:17 PM
We have two ISP links terminated on 2 different routers and two ASAs active/standby. If one link goes down automatically the second link takes the load.
Now we want to acheive the scenario like - have both the links utilized parallely and at same time with above link failover.
Can someone guide me..
02-08-2014 01:46 AM
Do you mean the current setup is in an active/standby state on the fws.
This question would be best suited for the security/firewall forum -although with the exceptional experience on CSC am sure some else will be able to answer your question on here also much better than I can.
However my basic understanding to you query is that there are some necessary requirements prior to applying active/active fw mode
1) same hardware /iOS version / fw mode and correct licence ( I think unrestricted) on each fw
2) only works with multiple fw contexts
3) static routing only plus ISP addressing needs to be static also (basically no dynamic routing)
Sent from Cisco Technical Support iPad App
02-08-2014 08:13 AM
My first question is, are these "ISP Links" form the same ISP or different ISPs? Also, do you have network address space that is assigned to you, and if so, is this Provider Independent or Provider Assigned address space (IE Public Network).
Now that those question are over, Do both your two ISP Routers connected to your Core on the internal network? If so, you can also do load balancin gto pick ISP1 and or ISP2 at the same time, but with two different firewalls, you can run into asymetric routing issues, which can cause lots of firewall issues, due to the fact, that is you establish a TCP connection to Web Server 22.214.171.124 and then the traffic comes back to the other firewall, it's not going to have this stateful information saved (so to speak), and will drop the connection.
02-08-2014 10:14 PM
Below are the answers..
1. Both are from different providers
2. Network address space assigned by provider
3. Right now i don't have any servers hosted in network which people access from outside. My only intention is to make both the internet links are utilized at same time(for browsing, and also if one link goes down the traffic should continue to go on the other link).
02-08-2014 10:10 PM
Now FWs are in active/standby mode.
02-08-2014 10:43 PM
Could you please provide inter-connectivity diagram and current configuration on your FWs and routers?
PS: per my understanding (of your case), load-sharing could be done only by routers.
02-09-2014 05:10 AM
They're are a variety of ways to do this.
Depending on how many vlans you have, you might just want to configure Policy Based Routing(PBR), and have half of your vlans go to one ISP and the other half go to the other, from that you can configuire ip sla tracking, and if connection to your upstream next hop on either ISP goes down, it takes that route down, and everything else is routed out the one up ISP.
This would provide redundancy incase of an ISP failure, and load balancing as well.
When you configure 'ip sla' I would incorporate the 'icmp-echo' feature, and set the ip to 126.96.36.199, and the source IP, as the IP configured on that link to the ISP from your router(s). The reason why I say 188.8.131.52, if your directly connected link to your ISP fails, then that will fail as well, also, there could be an issue upstream in you rISPs bcakbone, and then traffic could go out another link in your ISPs core.
I would configure this on you core, if you have both of your routers connected to your core that is.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: