cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

ISP Failover working but no internet connection.

Hi,

Could someone please help us with this, We have a client who are using R80.10 cluster firewall and has the ISP failover configured but then when the primary ISP goes down we can see on the tracker that the secondary ISP preceded the connection but then there are still no internet connection for the users, we have already done the isolation listed below.

- Check secondary ISP internet connection by bypassing the firewall (has internet connection.)

- Make sure that we only has one default gateway ( Primary ISP default Gateway)

- Check the next hop IP address for both ISP on ISP redundancy setting on smartdashboard

- Check sk61692 for possible misconfiguration.

- Make sure the default gateway/next hop IP address for both ISP are reachable.

- Check ISP failover status on Clish by using " cpstat fw " command.

- We also do a testing on a standalone R80.10 firewall and has the same output.

Regards,

0 Kudos
10 Replies

Re: ISP Failover working but no internet connection.

Hello,

Could you elaborate with "cpstat fw" result and tell us routing table is changing when ISP failover "route -n".

0 Kudos

Re: ISP Failover working but no internet connection.

Hi Anthony,

Thanks for your reply, when I run " cpstat fw " I could see that both ISP have OK status and then for testing I would manually turn down the primary to check if failover would work, after turning down the primary ISP I would see on tracker that the primary ISP are down and that the secondary ISP are up for connection but then there is still no internet connection for users.

0 Kudos

Re: ISP Failover working but no internet connection.

When ISP goes down, you should have a change on the routing table.

"watch -d route -n"

Do you see it ?

regards,

Anthony

0 Kudos

Re: ISP Failover working but no internet connection.

Yes I could see the default route change whenever I manually turn down the primary ISP, whats weird is that I could see on the tracker that the failover are working and that my firewall users are being NATed using the secondary ISP IP address but still internet access are not working.

I also try to test this setup to R77.30 firewall and its working, only in R80.10 that I'm having trouble.

Thanks for responding.

0 Kudos

Re: ISP Failover working but no internet connection.

Hello Rudy,

from what I learn about R80.10, Topology is much more enforced than before.

An example: If topology is wrong on the object, it can discard the trafic without blocking it. (database correction solve the issue)

I'll build this morning a lab with R77.30 and R80.10 with 2 ISP and try to replicate your issue.

Did you try to disable Sxl for testing purpose ?

Could you kindly provide me some more debugs.

ping 8.8.8.8       //from one host on your network

fwaccel off      //(if you can)

fw ctl zdebug drop | grep 8.8.8.8

fw monitor -e "host(8.8.8.8),accept;"

route -n

fw ctl affinity -l -r -v

remove has much information about host ip etc ... we need interfaces and NAT.

regards,

Anthony

0 Kudos
Petr_Hantak
Silver

Re: ISP Failover working but no internet connection.

In case the backup line goes UP and there is still no Internet connection, what about NAT rules? Have you got properly configured them for inside networks like following?

0 Kudos

Re: ISP Failover working but no internet connection.

Hi Petr,

I have already check the NAT configuration for the users to that setting and its still not working.

Thanks for responding.

0 Kudos

Re: ISP Failover working but no internet connection.

1) Tried clearing the CAM tables on your switches/routers? Also, any static ARP's?

2) Have you run a zdebug + drop as well as fwmonitor(Turn of SXL)? That would hopefully tell you a little more.

3) Failover? Rebooted the members?

0 Kudos

Re: ISP Failover working but no internet connection.

Hi,

Thanks for responding.

1. There are no static ARP's on the router.

2. Try to run fwmonitor and it shows that both connections for ISP are working fine.

3. Yes we setup the configuration as failover., what do you mean by rebooted the member?

0 Kudos

Re: ISP Failover working but no internet connection.

Hi Guys!

I just solve the issue today, I install the jumbo hotfix for R80.10 take 154 for it work, Thanks everyone for help!