Author Topic: route ssg140  (Read 5006 times)

chunkpunk

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
route ssg140
« on: July 29, 2011, 05:05:27 am »
Hello
I have question about route (ssg140  dual ISP )
eth1 - isp1
eth2 - isp2
both in Untrust zone

if config is
set route 0.0.0.0/0 interface ethernet0/2 gateway ISP1
set route 0.0.0.0/0 interface ethernet0/3 gateway ISP2 10
i cant ping from internet to ISP2
when i change to
set route 0.0.0.0/0 interface ethernet0/2 gateway ISP1
set route 0.0.0.0/0 interface ethernet0/3 gateway ISP2
i can but it is  unstable, route change from time to time on IS1 to ISP2
what is wrong in my idea ?








chunkpunk

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: route ssg140
« Reply #1 on: August 01, 2011, 06:37:36 am »
Hello
I have question about route (ssg140  dual ISP )
eth1 - isp1
eth2 - isp2
both in Untrust zone

if config is
set route 0.0.0.0/0 interface ethernet0/2 gateway ISP1
set route 0.0.0.0/0 interface ethernet0/3 gateway ISP2 10
i cant ping from internet to ISP2
when i change to
set route 0.0.0.0/0 interface ethernet0/2 gateway ISP1
set route 0.0.0.0/0 interface ethernet0/3 gateway ISP2
i can but it is  unstable, route change from time to time on IS1 to ISP2
what is wrong in my idea ?

No answers :)
for double default route , solve problem is create 2 separate zone and  create double policy :/







muppet

  • Global Moderator
  • Full Member
  • *****
  • Posts: 211
  • Karma: +0/-0
  • I Like Beer
    • View Profile
    • LiCe for EPIC5
Re: route ssg140
« Reply #2 on: August 01, 2011, 03:51:32 pm »
You don't explain what you're actually trying to do here, you just say "What is wrong with my idea" but don't explain your idea!

Two default routes with equal cost won't work. - You get some packets going out one and some out the other - thus the "unstable"

The other option, ISP2 isn't used, all packets will go out ISP1.

What are you actually trying to do?

chunkpunk

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: route ssg140
« Reply #3 on: August 02, 2011, 02:37:38 am »
NO.
My question is
why i cant ping from internet to ISP2 when my config is :
set route 0.0.0.0/0 interface ethernet0/2 gateway ISP1
set route 0.0.0.0/0 interface ethernet0/3 gateway ISP2 10

i cant ping from internet to ISP2
when i change to
set route 0.0.0.0/0 interface ethernet0/2 gateway ISP1
set route 0.0.0.0/0 interface ethernet0/3 gateway ISP2


can you explain it ?

muppet

  • Global Moderator
  • Full Member
  • *****
  • Posts: 211
  • Karma: +0/-0
  • I Like Beer
    • View Profile
    • LiCe for EPIC5
Re: route ssg140
« Reply #4 on: August 02, 2011, 02:42:23 am »
Probably the packet is coming in one interface (ISP2) but the return packet is going out ISP1 (the only route that's active for default traffic) and the firewall doesn't have a rule to accept that?

Or maybe the firewall is actually sending a reply with the source address is ISP2 which the requesting host doesn't expect.

You should do a debug flow to examine what's actually happening though, I don't know what the exact problem is.  I suspect it's option 1 above, you might need a rule.

chunkpunk

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: route ssg140
« Reply #5 on: August 02, 2011, 03:05:29 am »
i think that you right for option 1. can you explain me what rule i must add ?

muppet

  • Global Moderator
  • Full Member
  • *****
  • Posts: 211
  • Karma: +0/-0
  • I Like Beer
    • View Profile
    • LiCe for EPIC5
Re: route ssg140
« Reply #6 on: August 02, 2011, 03:06:54 am »
Allow ICMP from untrust 1 to untrust 2 and from 2 to 1. That'd what I'd try.

chunkpunk

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: route ssg140
« Reply #7 on: August 02, 2011, 03:17:43 am »
hmm ok , but what i can do when my booth isp1 & isp2 are in untrust ?

chunkpunk

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: route ssg140
« Reply #8 on: August 02, 2011, 03:23:36 am »
my config: one untrust zone , one untrust-vr