I just re-configured our firewall(s) (HA pair) in one of our data centers to receive a default route from both of our internet routers via BGP. We're running a pair of ASA5545x's on 9.12(3)12. These connect to a set of switches that also connect to the two internet routers. There is only ONE outside interface, as it's able to see both routers over the same VLAN through the switch.
Everything is mostly working, except ECMP. In lab I had this working perfectly, but it looks like when I moved the config to production, the zone-member OUTSIDE command was not applied to the OUTSIDE interface. In ASDM, I'm not able to add this interface to a zone because it's associated with a crypto map for a S2S tunnel. Would this missing command be the reason that ECMP is not working? Both of our default BGP routes are being learned properly and both have the exact same AD, AS path length, etc, so they should both be eligible equal-cost default routes in the routing table. However, I am only seeing one at a time (if I drop the neighbor on the current "primary" circuit, it failed to the "secondary" as would be expected in an active/standby config).
If I do need to apply this command to get it to work, what does this mean for my S2S tunnel? And would such a change be traffic-affecting?
Kinda frustrating that the entire reason for me redesigning things this way was to get load-balancing (at least on outbound traffic). (To be fair, it was also to do away with HSRP between the routers, but load-balancing was the primary reason.)
If anyone has any advice, I'd really appreciate it! Also if you need a config snippet, I'd be happy to provide. Thanks!!
No comments:
Post a Comment