Solved

Failover routing not working as expected

Posted on 2009-07-15
12
443 Views
Last Modified: 2012-05-07
Hi,

I am trying to configure failover routing for my outgoing Internet and email and have a scenario I would like the experts to consider....please see attached diagram.

- The router is a L3 Cisco 3560G switch
- The firewall is a Linux firewall running iptables
- We will configure a script to ping our Internet gateways' default gateway to determine if our Internet is up or down
--Once the script realises our Internet is down it will switch our default gateway to 10.10.40.1, which is the Firewall at Site B, instead of using 81.150.xxx.xxx (the normal gateway at Site A)

-The black dotted line is the traffic path under normal operations
- The red dotted line is the failover path the traffic needs to take

You will see from the diagram that the traffic will need to go into the firewall, and then in a failover situation, be required to come back out the same interface it came in on. We tried switching the gateways yesterday but it wasn't successful so I'm trying to understand the way the packets are handled by the layer-3 switch at 172.16.15.254, if an expert can take a look and advice please.

1. Packet from Site A LAN goes to Squid web scanning server at 172.16.0.13, src-172.16.1.135 / Dst-6.6.6.6 (example IP to keep it simple)
2. Packet leaves web scanner who sends it to it's gateway at 172.16.15.254, src-172.16.0.13 / Dst-6.6.6.6 ------ Are the packets' source and dest addresses correct here?
3. Packet arrives at gateway (172.16.15.254), it checks it routing tables for 6.6.6.6, has no entry so sends the packet to it's gateway at 10.10.20.1, the linux firewall.
4. Under normal operations the firewall checks the routing table for 6.6.6.6, doesn't have an entry so sends the packet to it's gateway, the BT Draytec router and so on.........this is fine

In a failover situation...I'll start at point 3 above--
3. Packet arrives at gateway (172.16.15.254), it checks it routing tables for 6.6.6.6, has no entry so sends the packet to it's gateway at 10.10.20.1, the linux firewall.
4.  The firewall checks the routing table for 6.6.6.6, doesn't have an entry so sends the packet to the failover gateway of 10.10.40.1, the firewall at Site B
5. 10.10.40.1 is in the routing table of the firewall so sends the packet back to the Layer-3 switch at 172.16.15.254 (packet src is still 172.15.1.135 / Dsr 6.6.6.6...is this correct?)
6. Now I think the problems may start, the layer-3 switch reads the packet dest network and see's 6.6.6.6, so is sending it back the firewall, who sends it to the Layer-3 switch....and so on in a loop until the TTL expires.

My questions are these:
----------------------------
1. Are the above operations correct?
2. Is the failover gateway correct or should another be chosen?
3. Is my interpretation of the packet path correct?
4. What is the best way to troubleshoot?

I thought this would be fairly straightforward so hopefully I am close to the solution.

Thanks a lot,

Ally
EE.JPG
0
Comment
Question by:ally0000
  • 6
  • 2
  • 2
  • +2
12 Comments
 

Author Comment

by:ally0000
Comment Utility
spotted a mistake in the failover routing part

5. Packet source should be 172.15.0.13 / Dst 6.6.6.6...is this correct?)
0
 
LVL 12

Assisted Solution

by:Faruk Onder Yerli
Faruk Onder Yerli earned 150 total points
Comment Utility
If you need to use SiteA Linux Firewall, you must open tunnel between two linux server. Traffic has to flow inside of tunnel for redundancy.

If you dont use the linux server in SiteA, you have to use "ip sla" configuration on SiteA 3560 and it will change route automaticaly to SiteB.

But most preferable configuration here, you need to use OSPF between all equipment. routes are adjust on all network equipment in fail-over time.
0
 

Author Comment

by:ally0000
Comment Utility
Not sure that is viable, are you talking about a VPN tunnel between the firewalls, if so then that isn't going to happen....I can surely route in the way I want?

Any other ideas?

Thanks

Ally
0
 

Author Comment

by:ally0000
Comment Utility
Hi,

Sorry if my earlier post seemed a little abrupt. I have investigated the IP SLA command and have found this link

http://www.experts-exchange.com/articles/Hardware/Networking_Hardware/Routers/Cisco-IP-SLA-for-failover.html

This may do exactly what I need.

Thanks for your help. If you have any other ideas I am very open to them

Ally
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
Comment Utility
HI,

Why don't you use ip sla??
It is more simplifier than makng script!

Please read the following:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_40_se/configuration/guide/swipsla.html

Best regards,
Istvan
0
 
LVL 12

Expert Comment

by:Faruk Onder Yerli
Comment Utility
if you will not use dynamic routing protocol between routers, IP SLA is the best solution for you.

Your wellcome ...
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:ally0000
Comment Utility
Hi,

Can I take this back to basics as we need the traffic to get to the firewall, the reason for this is that the mail scanner sits there and adds the legal signature to all the outgoing emails.

Equalizer - When you talk about tunnels are you talking about a VPN between the Linux firewalls? If so what will that do for me? I am open to using dynamic routing protocols, can you please discuss this in a little more depth.

What I might be able to do is to use the firewall script to change the firewall gateway and also yse the IP SLA command as well to change the routers gateway. This way the traffic should be allowed over to site B.

What do you think about that?

Thanks

Ally
0
 
LVL 7

Accepted Solution

by:
marmata75 earned 300 total points
Comment Utility
Hi Ally,

you analisys seems fine! Looks like there's some other requirements you didn't have last time we talked about this!
Basically, since now you've more L3 devices to deal with, you have some options to follow
- Use a routing protocol on every L3 devices, so that everyone will know where the default gateway is
or
- Make the script on the firewall change the default gateway on both the Firewall A and the L3 switch in site A.
or
- Build a tunnel between Firewall A and Firewall B, it can be a simple gre tunnell, no need for a full blown vpn

Since you've the script ready, you may want to try the second option, that requires the small modification of changing the default gw on the L3 switch A too. During fileover, the default GW of L3 switch in site A will be the Firewall B. Of course L3 switch A will have a static route to that firewall via the Wireless link, the wireless routers will have statics so they know how to reach Firewall B, the L3 switch B will know how to route to the fw B etc. You could even use the script on FW a, and IPsla on l3 switch a. This will have to be carefully thought, but it's doable!

If you want to go the OSPF route, you need the firewall A and firewall B to both announce the default gateway to the other L3 switches. By using the appropriate metric, you'll make the L3 switches use default gateway that's in their own site, in normal conditions. When ADSL A fails, you'll stop to announce the default on Firewall A (that's always via a script), and L3 switch A will automatically failover the default gateway to Firewall B.
This is just a rough guide, I hope it makes sense to you. We can work out the details later, once you decide which route to go!

Cheers,
]\/[arco
0
 

Author Comment

by:ally0000
Comment Utility
Marco,

Thanks so much for the reply. I think option 2 is the way for me to go but I'm not sure exactly what you mean when you said "You could even use the script on FW a, and IPsla on l3 switch a. This will have to be carefully thought, but it's doable!". II am not a Linux/Unix guy at all so don't even want to go there with the VPN's or OSPF.

Are you saying that the best way is to manually change the gateway on L3 switch A to allow it to failover?  I was looking at IP SLA today as I hadn't seen that before and it looks fairly straight forward. If the script can change the FW gateway and IP SLA can change the L3 SW gateway then I'm in business...it scares me a little when you say that I have to carefully think about that but that it's doable.

Thanks again

Ally
0
 
LVL 7

Expert Comment

by:marmata75
Comment Utility
Hi Ally,

don't scare, I was just implying that to use ipsla the most obvious way (check the same addresses you're checking with fw a) could not be the best one. It's better if the failover is started by a single entity (the firewall in this case) and not by two entities, by two independent scripts (the script on fw a, and the ipsla on L3 SW A).
I'd follow a simple approach. On fw a, create a secondary ip address on the interface facing L3 SW A. Be it 10.255.255.254. Put a static on L3 SW A to reach this IP via FW A. Make L3 SW A track this IP for availability. When this IP is no more reachable, switch the gateway.
On the script on FW A, when the DSL is detected as broken, change the default gateway AND delete the secondary IP address. This won't be pingable anymore by L3 SW A that in turn will switch its default gateway too. You're now with a single script changing the default gateways on both FW A and L3 SW A consistently.
If I remember well, the wireless router A has the default pointing at FW B, and so is the wireless router B, since you don't need the failover to work the other way round, right? So there's nothing else to touch.
Let me know if it's clear, should be pretty straightforward now!

Cheers,
]\/[arco
0
 

Author Comment

by:ally0000
Comment Utility
nice answer, I like it, I'll try that tomorrow....thanks again for everything. Totally understand your logic

Ally
0
 
LVL 16

Assisted Solution

by:Aaron Street
Aaron Street earned 50 total points
Comment Utility
Yep I would agree with IP SLA,

Could you also not just run HSRP on the 3560 switchs.

have Switch A primary for site A and swich B primary for site B

run ip SLA to track if the links are up and if not use a Track to cause HSRP to fail over.

one thing traffic would then not go through the fire wall on site A but use the one on site B.  traffic would hit the 172.16.15.254 address, (now held be Switch B)

is this a problem?

but its nice and simple to set up?
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now