Link to home
Start Free TrialLog in
Avatar of flagshipcredit

asked on

Routing Web Traffic with Dual ISP and Firewalls

Good Afternoon All

We have added a 2nd network (on another floor) to our network and added another ISP and Firewall for redundancy and to be the primary ISP for this new floor. We have several Web Apps that are accessible from outside and would like to add a second A-Record for each that points to this new ISP connection. The web servers will be staying on the original floor but we need to routing traffic that comes through the new ISP over the network to the original DMZ. I got the routing right because I can ping the Web Server from the new firewall but packets are being dropped due to ACL. The ACLs are the same on both firewalls so not sure where the issue is at this point. I am thinking it maybe easier to just route the traffic right from the new firewall to the DMZ switch and bypass the need to route through 2 firewall but something tells me that just is the right way.

We are using 2 ASA 5510s and 2 Dell Powerconnect 6224 as our gateways for each floor.

Any advice or thoughts?

Avatar of agonza07
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of flagshipcredit


Thanks for your comments. Is this something we would setup and configure or is at the ISP level?
The BGP part?
configure what? The Active/Active ASA config can be done on your end as long as you administer the firewalls and run a network cable between the floors.

The BGP setup would have to be coordinated with your ISP. The FatPipe solution you can set up on your own.
Got it thanks. I will look into the BGP with our ISPs.

Sorry one last question we would still have to do the Active/Active with BGP, right? Sorry for the dumb question haven't had to deal with this type of setup before.
I would but you dont need to. The active/active helps out in case one of the ASAs goes out on you. I think the 5510's are single power supply models, so if your power supply goes out on one of them the other picks up the load seamlessly.

the only reason I brought up the Active/Active config is because you already have both ASAs. If you wanted to, you can just have one running and keep the other as a spare...
I am using OSPF to redirect traffic if one of them goes down.

Thanks for all your help.
OSPF will work internally, but not externally. However, the browser will try other A records if one fails... this guy has a good write up on what happens. So I guess you don't really need BGP if all you are serving up is web pages.... but worth considering if you are hosting a large server farm or a website where no form of latency is required.

Yes, most browsers from the last 5-10 years will try the other A records if one fails to respond. This is sometimes called "browser retry" or "client retry" apparently. You'll pretty much only find stuff about it in the context of the various browser exploits which this feature enables against sites not using it (see DNS rebinding and DNS pinning, anti-dns pinning, anti-anti-dns pinning, anti-anti-anti-dns pinning, and so on). Kind of a bad reputation, but it does prove it exists.

Pretty much every browser does indeed receive the full list of A records, and does indeed check others if the one it is using fails. You can expect each client to have a 30 second wait when they first try to access a site when a server is down, until it connects to a working address. The browser will then cache which address is working and continue using that one for future requests unless it also fails, then it will have to search through the list again. So 30 second wait on first request, fine thereafter.

But it isn't something you necessarily want to use, it's going to have lots of caveats about browser compatibility, os compatibility, proxy compatibility, cache-control headers are going to have weird effects on whether it remembers which IPs are down or starts having that 30 second wait on every request, people writing custom clients for your site are going to end up using gethostbyname instead of getaddrinfo and not be able to handle the failover, all sorts of potential problems.

You also can't rely on multiple A records to allow for "master" and "slave" servers, because you'll never know which address a browser is going to pick out of the list. They all need to be just as capable of handling visitors if running, because any one might get traffic if it's up. A browser might think your third server out of the list is the most appealing, maybe it looks the closest, and it will choose that one even though all three are still up.

But if you can live with the limitations and have a reasonably simple HTTP system that you can predict the browser interaction with, it will work.

Oh, you'll also have to deal with a lot of people telling you this doesn't exist (since that was true 15 years ago). But you can try telneting to an A record with some dead IPs in it and some good ones if you need to prove it (yes, even good old telnet now uses getaddrinfo and handles multiple A records gracefully these days) -- it will print out a nice list of the IPs it's trying until it finally succeeds.
I guess that would still leave us with the issue of traffic going back out the right path???
If you put both ISPs into one firewall (including Active/Active config) and follow that Dual ISP wiki from Cisco you'll be set. The firewall will respond out the correct link.
What if they are separate subnets?
They should be separate subnets, and yeah it'll work. Check out the wiki doc, it explains it all there.