General Network Error

With an active/standby pair of Cisco ASA/PIX firewalls, feeding into two Internet edge routers with limited bandwidth over two separate DIA (Direct Internet Access) circuits, the firewalls can be configured to do Equal Cost Load Balancing (ECLB) as known on the Cisco PIX or Equal Cost Multiple Path (ECMP) on the ASA with the default route so both routers and circuits are used.

If HSRP is protecting the default gateway to the routers and the firewall uses static routing to the standby VIP (virtual IP) address, only one of the two routers would actually be used.  Some routers support GLBP (Global Load Balancing Protocol) to make the VIP active/active on both routers, but GLBP responds to ARP (Address Resolution Protocol) requests by using alternating between multiple virtual MAC addresses in the responses.  GLBP would not yield load balancing with a single firewall of a redundant active/standby pair since the firewall would only receive and use one of the virtual MAC addresses.  You would think GLPB might be an option with active/active firewalls, but the chance of both firewalls getting the same MAC address and funnelling all traffic through a single router is high with the default round-robin algorithm and with other devices using the same GLBP VIP in the VLAN.

Load balancing over multiple routes can be accomplish either through a dynamic routing protocol (on the outside of the firewall) or static routing with equat cost routes.  In a standard configuration of two Internet edge routers for DIA served by a single pair of redundant firewalls (active/standby), configure two default static routes (0.0.0.0/0) of equal cost (admin distance or metric).  First default route points to the LAN interface of the first router and the second default routes points to the second router.  Both routes must be over the same interface, the “outside” interface usually.  Up to three default routes may be used.

ECMP/ECLB hashes the source and destination IP addresses to determine which equal cost route to use.  The source address comes from the inside/local address and the destination is the outside/foreign address.  For two equal cost routes, the hash returns either 0 or 1 to select the route.  The entire flow of a given source/destination IP address pair will always use the same route as long as it’s available.

With mulitple routes and paths out to the Internet, what happens when one of your routers, circuits, or ISPs has an issue?  Your default routes happily send traffic to what could turn out to be a blackhole, assuming the routers themselves don’t route around such trouble.  On the equal cost default routes already configured, you can add tracking with SLA probes to monitor your ISPs gateway and automatically remove defaults when your ISPs can’t be reached.  You’ll need two SLA monitors and two tracks for your routes.

sla monitor 123
 type echo protocol ipIcmpEcho 10.0.0.1 interface outside
 num-packets 3
 frequency 10
!— Configure a new SLA probe with ID 123.  
!— Specify IP address to ping, number of packets, and frequency.

sla monitor schedule 123 life forever start-time now
!— Schedule the monitor to start now and run forerever.

track 1 rtr 123 reachability
!— The track ID of 1 will use the RTR/SLA ID 123.
!— Use with route outside 0.0.0.0 0.0.0.0 10.100.0.1 1 track 1
 

Download config snippet here.

 For a little bit of extra redundancy, configure a floating static default route (admin distance or metric higher than your normal defaults) — I prefer 254 which is the highest value — that kicks in when your regular routes are removed by the SLA tracking.  This floating static route is pointed to the HSRP VIP address and is truly your last resort.

 20120324.1