Tunnel and PBF Monitoring Driving Me Crazy

Reply
L4 Transporter

Tunnel and PBF Monitoring Driving Me Crazy

Okay, I can't think straight. Sorry if I ramble on. I can't seem to wrap my head around this and I'm thinking I am making it more complicated than it really is. This is also hard to test since I can't turn up the new ISP yet.

Here is my situation: I need to setup a second ISP on the firewall. I've configured the interface, the security policy, and NAT for it. If the primary connection fails, I need it to fail over to the secondary. I have setup a PBF that forwards all traffic to the primary ISP interface. I configured it to use the default monitor profile, and used the ISPs public DNS server as the monitor IP. (Is this the best approach?) It's configured to disable if it can't reach that IP. So if that rule is disabled it should use the default route for the secondary ISP in the virtual router. This seems to work (at least on another firewall with a similar config that has been tested and confirmed working). The question is, how do I make everything fail back to the primary once it comes back up? Sound good? Good!

I also need the IPSec VPN tunnels to do the same thing. I want the VPN tunnels to fail over too if the primary ISP goes down. I have tunnel monitoring configured on both tunnels. I also have two PBF rules setup. The primary rule routes traffic over the primary ISP and set to "fail-over" if the target monitoring IP can't be reached. (I configured the tunnel interfaces to have IPs on the same subnet and each tunnel uses a separate subnet.) The second PBF rule will route traffic over the second tunnel interface which will route over the backup ISP. Again, how do I make everything fail back over to the primary Gateway once the ISP comes back online?

I've done this by reading through various documents on this site.

For example: 

pbf_rules.png

The rule "2 Corp via UCom" (currently disabled) will be the rule needed to route through the primary ISP over the primary VPN tunnel. If it's disabled due to the target IP being unavailable, I need "2 Corp via ADC" (the very next one) to start routing. How do I configure this rule to fail back over to the first one when the primary ISP and VPN comes back online? Will the VPN tunnels come back online themselves as well once their respective ISPs come back up? What's the best way to configure this? Are you confused yet? I am.

Also, for the VPN tunnels, with "fail-over" enabled for tunnel monitoring that just means it will try to find a different route out of the network, be it PBF or static route, correct? It won't just wait like the default is configured to do?

I hope this made sense. If not please reach out and slap me in the face.

Thanks!

Highlighted
L7 Applicator

Hello Sir,

Just go through the document once Setup

Hope it will help you.

Thanks

Highlighted
L4 Transporter

Thanks! I missed that one! I'll go over it and see what happens!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!