- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
05-23-2019 06:32 PM
Configured the path monitor on my primary ISP route per this guide,
It worked great when I unplug the cable from the primary ISP CPE. The default route went to the back up ISP. Problem is the primary default route doesn't recover when I put the cable back. I waited till the monitor claim the status is up. But the primary default route is shown inactive (missing A flag).
BTW: the backup ISP is DHCP with automatically add default route enabled.
05-24-2019 12:22 AM
Hi @Dennis-Wu ,
Did you enable preemtion ?
By default, preemption is disabled on the firewalls and must be enabled on both firewalls. When enabled, the preemptive behavior allows the firewall with the higher priority to resume as active or active-primary after it recovers from a failure.
device-priority-and-preemption
Cheers !
-Kiwi.
05-24-2019 06:12 AM
When the monitor claims the status is up is when the preemptive hold timer actually starts counting down to verify the path is stable. By default, this is set to 2 minutes. Did you allow enough time for the preemptive hold timer to pass so the link should have actually become active?
Also important, did you weight the route metrics?
05-24-2019 09:00 AM
@BPry appreciate your hint. I did wait till the preemptive time finished. And the metric is correct as in the begining before I unplug the primary ISP cable the default route was pointing to the primary ISP correctly.
Update: Found it actually interference with the DHCP type of ISP. I have to disable the "automaticlly create default route" on the interface and use a static route with next hop to the ISP GW. It is not a 100% solution as the ISP GW could change. But I can live with it for now
10-28-2021 07:08 AM
Hi @BPry ,
Do you know by any chance if there´s a way to monitor via CLI the count down of the preemptive hold timer? I just started supporting a deployment where the prior integrator configured 60 minutes of preemption, so at least I would like to know if the timer is actually counting down or not.
Thanks in advance!
10-28-2021 01:54 PM
Hello,
For this scenario, I usually utilize Policy Based Forwarding. Pretty much the same thing, however PBF happens before the virtual routers data so its always first.
Just a thought.
02-01-2023 10:25 AM
I am having the same issue. Even when I attempt to perform the same ping ingress and egress from both firewalls the pings are successful. Both sides are Palo Alto's in my case.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!