Hi Anthony,

Thanks for your reply, when I run " cpstat fw " I could see that both ISP have OK status and then for testing I would manually turn down the primary to check if failover would work, after turning down the primary ISP I would see on tracker that the primary ISP are down and that the secondary ISP are up for connection but then there is still no internet connection for users.

When ISP goes down, you should have a change on the routing table.

"watch -d route -n"

Do you see it ?

regards,

Anthony

Yes I could see the default route change whenever I manually turn down the primary ISP, whats weird is that I could see on the tracker that the failover are working and that my firewall users are being NATed using the secondary ISP IP address but still internet access are not working.

I also try to test this setup to R77.30 firewall and its working, only in R80.10 that I'm having trouble.

Thanks for responding.

Hello Rudy,

from what I learn about R80.10, Topology is much more enforced than before.

An example: If topology is wrong on the object, it can discard the trafic without blocking it. (database correction solve the issue)

I'll build this morning a lab with R77.30 and R80.10 with 2 ISP and try to replicate your issue.

Did you try to disable Sxl for testing purpose ?

Could you kindly provide me some more debugs.

ping 8.8.8.8       //from one host on your network

fwaccel off      //(if you can)

fw ctl zdebug drop | grep 8.8.8.8

fw monitor -e "host(8.8.8.8),accept;"

route -n

fw ctl affinity -l -r -v

remove has much information about host ip etc ... we need interfaces and NAT.

regards,

Anthony

Hi Petr,

I have already check the NAT configuration for the users to that setting and its still not working.

Thanks for responding.

Hi,

Thanks for responding.

1. There are no static ARP's on the router.

2. Try to run fwmonitor and it shows that both connections for ISP are working fine.

3. Yes we setup the configuration as failover., what do you mean by rebooted the member?