Solved

Failover routing not working as expected

Posted on 2009-07-15
12
446 Views
Last Modified: 2012-05-07
Hi,

I am trying to configure failover routing for my outgoing Internet and email and have a scenario I would like the experts to consider....please see attached diagram.

- The router is a L3 Cisco 3560G switch
- The firewall is a Linux firewall running iptables
- We will configure a script to ping our Internet gateways' default gateway to determine if our Internet is up or down
--Once the script realises our Internet is down it will switch our default gateway to 10.10.40.1, which is the Firewall at Site B, instead of using 81.150.xxx.xxx (the normal gateway at Site A)

-The black dotted line is the traffic path under normal operations
- The red dotted line is the failover path the traffic needs to take

You will see from the diagram that the traffic will need to go into the firewall, and then in a failover situation, be required to come back out the same interface it came in on. We tried switching the gateways yesterday but it wasn't successful so I'm trying to understand the way the packets are handled by the layer-3 switch at 172.16.15.254, if an expert can take a look and advice please.

1. Packet from Site A LAN goes to Squid web scanning server at 172.16.0.13, src-172.16.1.135 / Dst-6.6.6.6 (example IP to keep it simple)
2. Packet leaves web scanner who sends it to it's gateway at 172.16.15.254, src-172.16.0.13 / Dst-6.6.6.6 ------ Are the packets' source and dest addresses correct here?
3. Packet arrives at gateway (172.16.15.254), it checks it routing tables for 6.6.6.6, has no entry so sends the packet to it's gateway at 10.10.20.1, the linux firewall.
4. Under normal operations the firewall checks the routing table for 6.6.6.6, doesn't have an entry so sends the packet to it's gateway, the BT Draytec router and so on.........this is fine

In a failover situation...I'll start at point 3 above--
3. Packet arrives at gateway (172.16.15.254), it checks it routing tables for 6.6.6.6, has no entry so sends the packet to it's gateway at 10.10.20.1, the linux firewall.
4.  The firewall checks the routing table for 6.6.6.6, doesn't have an entry so sends the packet to the failover gateway of 10.10.40.1, the firewall at Site B
5. 10.10.40.1 is in the routing table of the firewall so sends the packet back to the Layer-3 switch at 172.16.15.254 (packet src is still 172.15.1.135 / Dsr 6.6.6.6...is this correct?)
6. Now I think the problems may start, the layer-3 switch reads the packet dest network and see's 6.6.6.6, so is sending it back the firewall, who sends it to the Layer-3 switch....and so on in a loop until the TTL expires.

My questions are these:
----------------------------
1. Are the above operations correct?
2. Is the failover gateway correct or should another be chosen?
3. Is my interpretation of the packet path correct?
4. What is the best way to troubleshoot?

I thought this would be fairly straightforward so hopefully I am close to the solution.

Thanks a lot,

Ally
EE.JPG
0
Comment
Question by:ally0000
  • 6
  • 2
  • 2
  • +2
12 Comments
 

Author Comment

by:ally0000
ID: 24857741
spotted a mistake in the failover routing part

5. Packet source should be 172.15.0.13 / Dst 6.6.6.6...is this correct?)
0
 
LVL 12

Assisted Solution

by:Faruk Onder Yerli
Faruk Onder Yerli earned 150 total points
ID: 24857787
If you need to use SiteA Linux Firewall, you must open tunnel between two linux server. Traffic has to flow inside of tunnel for redundancy.

If you dont use the linux server in SiteA, you have to use "ip sla" configuration on SiteA 3560 and it will change route automaticaly to SiteB.

But most preferable configuration here, you need to use OSPF between all equipment. routes are adjust on all network equipment in fail-over time.
0
 

Author Comment

by:ally0000
ID: 24857889
Not sure that is viable, are you talking about a VPN tunnel between the firewalls, if so then that isn't going to happen....I can surely route in the way I want?

Any other ideas?

Thanks

Ally
0
 

Author Comment

by:ally0000
ID: 24857955
Hi,

Sorry if my earlier post seemed a little abrupt. I have investigated the IP SLA command and have found this link

http://www.experts-exchange.com/articles/Hardware/Networking_Hardware/Routers/Cisco-IP-SLA-for-failover.html

This may do exactly what I need.

Thanks for your help. If you have any other ideas I am very open to them

Ally
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 24858064
HI,

Why don't you use ip sla??
It is more simplifier than makng script!

Please read the following:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_40_se/configuration/guide/swipsla.html

Best regards,
Istvan
0
 
LVL 12

Expert Comment

by:Faruk Onder Yerli
ID: 24858320
if you will not use dynamic routing protocol between routers, IP SLA is the best solution for you.

Your wellcome ...
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 

Author Comment

by:ally0000
ID: 24858708
Hi,

Can I take this back to basics as we need the traffic to get to the firewall, the reason for this is that the mail scanner sits there and adds the legal signature to all the outgoing emails.

Equalizer - When you talk about tunnels are you talking about a VPN between the Linux firewalls? If so what will that do for me? I am open to using dynamic routing protocols, can you please discuss this in a little more depth.

What I might be able to do is to use the firewall script to change the firewall gateway and also yse the IP SLA command as well to change the routers gateway. This way the traffic should be allowed over to site B.

What do you think about that?

Thanks

Ally
0
 
LVL 7

Accepted Solution

by:
marmata75 earned 300 total points
ID: 24863774
Hi Ally,

you analisys seems fine! Looks like there's some other requirements you didn't have last time we talked about this!
Basically, since now you've more L3 devices to deal with, you have some options to follow
- Use a routing protocol on every L3 devices, so that everyone will know where the default gateway is
or
- Make the script on the firewall change the default gateway on both the Firewall A and the L3 switch in site A.
or
- Build a tunnel between Firewall A and Firewall B, it can be a simple gre tunnell, no need for a full blown vpn

Since you've the script ready, you may want to try the second option, that requires the small modification of changing the default gw on the L3 switch A too. During fileover, the default GW of L3 switch in site A will be the Firewall B. Of course L3 switch A will have a static route to that firewall via the Wireless link, the wireless routers will have statics so they know how to reach Firewall B, the L3 switch B will know how to route to the fw B etc. You could even use the script on FW a, and IPsla on l3 switch a. This will have to be carefully thought, but it's doable!

If you want to go the OSPF route, you need the firewall A and firewall B to both announce the default gateway to the other L3 switches. By using the appropriate metric, you'll make the L3 switches use default gateway that's in their own site, in normal conditions. When ADSL A fails, you'll stop to announce the default on Firewall A (that's always via a script), and L3 switch A will automatically failover the default gateway to Firewall B.
This is just a rough guide, I hope it makes sense to you. We can work out the details later, once you decide which route to go!

Cheers,
]\/[arco
0
 

Author Comment

by:ally0000
ID: 24863891
Marco,

Thanks so much for the reply. I think option 2 is the way for me to go but I'm not sure exactly what you mean when you said "You could even use the script on FW a, and IPsla on l3 switch a. This will have to be carefully thought, but it's doable!". II am not a Linux/Unix guy at all so don't even want to go there with the VPN's or OSPF.

Are you saying that the best way is to manually change the gateway on L3 switch A to allow it to failover?  I was looking at IP SLA today as I hadn't seen that before and it looks fairly straight forward. If the script can change the FW gateway and IP SLA can change the L3 SW gateway then I'm in business...it scares me a little when you say that I have to carefully think about that but that it's doable.

Thanks again

Ally
0
 
LVL 7

Expert Comment

by:marmata75
ID: 24864126
Hi Ally,

don't scare, I was just implying that to use ipsla the most obvious way (check the same addresses you're checking with fw a) could not be the best one. It's better if the failover is started by a single entity (the firewall in this case) and not by two entities, by two independent scripts (the script on fw a, and the ipsla on L3 SW A).
I'd follow a simple approach. On fw a, create a secondary ip address on the interface facing L3 SW A. Be it 10.255.255.254. Put a static on L3 SW A to reach this IP via FW A. Make L3 SW A track this IP for availability. When this IP is no more reachable, switch the gateway.
On the script on FW A, when the DSL is detected as broken, change the default gateway AND delete the secondary IP address. This won't be pingable anymore by L3 SW A that in turn will switch its default gateway too. You're now with a single script changing the default gateways on both FW A and L3 SW A consistently.
If I remember well, the wireless router A has the default pointing at FW B, and so is the wireless router B, since you don't need the failover to work the other way round, right? So there's nothing else to touch.
Let me know if it's clear, should be pretty straightforward now!

Cheers,
]\/[arco
0
 

Author Comment

by:ally0000
ID: 24864172
nice answer, I like it, I'll try that tomorrow....thanks again for everything. Totally understand your logic

Ally
0
 
LVL 16

Assisted Solution

by:Aaron Street
Aaron Street earned 50 total points
ID: 24867503
Yep I would agree with IP SLA,

Could you also not just run HSRP on the 3560 switchs.

have Switch A primary for site A and swich B primary for site B

run ip SLA to track if the links are up and if not use a Track to cause HSRP to fail over.

one thing traffic would then not go through the fire wall on site A but use the one on site B.  traffic would hit the 172.16.15.254 address, (now held be Switch B)

is this a problem?

but its nice and simple to set up?
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
AWS has developed and created its highly available global infrastructure allowing users to deploy and manage their estates all across the world through the use of the following geographical components   RegionsAvailability ZonesEdge Locations  Wh…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now