Dead Gateway Detection – AKA Backup or Redundant ISP Service

Posted on June 18, 2012

2



Dead Gateway Detection is feature like the backup or reduntant ISP service.
In case we have 2 ISP connections to internet – a backup line with smaller bandwith and another used normally – we can use one as a backup internet connection.

The topology:

1.1.1.0/24
|
|
Firewall
| |
| 2.2.2.0/24
| |
| DFGW1 2.2.2.254
| |
| 8.8.8.8
|
3.3.3.0/24
|
DFGW2 3.3.3.254
|
9.9.9.9

– Server or Host used for destination to ping on
port1: 8.8.8.8
port2: 9.9.9.9
– Default gateway on
port1: 2.2.2.254
port2: 3.3.3.254
– Interface IP on
port1: 2.2.2.1
port2: 3.3.3.1
port3: 1.1.1.1

1. PING Server configuration.

firewall (root) # show full-configuration router gwdetect
config router gwdetect
    edit "port1"
        set failtime 5
        set ha-priority 1
        set interval 5
        set protocol ping
            set server "8.8.8.8"
        set source-ip 0.0.0.0
    next
    edit "port2"
        set failtime 5
        set ha-priority 1
        set interval 5
        set protocol ping
            set server "9.9.9.9"
        set source-ip 0.0.0.0
    next
end

2. Default routes with different priority. The smallest priority will be used.

firewall (root) # show full-configuration router static
config router static
    edit 1
        set blackhole disable
        set comment ''
        set device "port1"
        set distance 10
        set dst 0.0.0.0 0.0.0.0
        set dynamic-gateway disable
        set gateway 2.2.2.254
        set priority 0
        set weight 0
    next
    edit 2
        set blackhole disable
        set comment ''
        set device "port2"
        set distance 10
        set dst 0.0.0.0 0.0.0.0
        set dynamic-gateway disable
        set gateway 3.3.3.254
        set priority 100
        set weight 0
    next
end

3. Interface configuration.

firewall (root) # show sys interface port1
config system interface
    edit "port1"
        set vdom "root"
        set ip 2.2.2.1 255.255.255.0
        set allowaccess ping https ssh fgfm
        set fail-detect enable
        set fail-detect-option detectserver
        set type physical
        set spillover-threshold 1
        set alias "external1"
        set macaddr 00:0c:29:00:7c:76
    next
end

firewall (root) # show sys interface port2
config system interface
    edit "port2"
        set vdom "root"
        set ip 3.3.3.1 255.255.255.0
        set allowaccess https ssh fgfm
        set fail-detect enable
        set fail-detect-option detectserver
        set type physical
        set alias "external2"
        set macaddr 00:0c:29:00:7c:80
    next
end

Lets test it, how it works.

Set the Ping server configured on Port1 down (8.8.8.8)

firewall (root) # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [10/0] via 3.3.3.254, port2, [100/0]
C       1.1.1.0/24 is directly connected, port3
C       2.2.2.0/24 is directly connected, port1
C       3.3.3.0/24 is directly connected, port2

We will see that the default route goes on port2.

Set the Ping server configured on port1 up.

firewall (root) # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [10/0] via 2.2.2.254, port1
                  [10/0] via 3.3.3.254, port2, [100/0]
C       1.1.1.0/24 is directly connected, port3
C       2.2.2.0/24 is directly connected, port1
C       3.3.3.0/24 is directly connected, port2

The default route is on port1 again. The question that I cannot answer now:

– If the second default route is on a different interface and the currently used ISP line goes down (the ping host is not pingable anymore), then what happens with the active sessions? With Cisco ASA the sessions cannot survive if the default gateway is on another interface, with Checkpoint it works fine. What is with Fortigate in this case? Is the interface in the session table or not?

Advertisements