VIP with different external ip

Cruz2019 · ‎02-23-2021

Hello,
I hope you can support or guide me if what I intend to do is possible:
I have a web server with the external ip 187.210.xx.xxx and with the mapped ip 172.16.x.xx, as a VIP, I just hired another ISP, and I want to publish this same server with that external ip so that when my main ISP My server is not working, exit through my secondary ISP.

first of all, Thanks.

emnoc · ‎02-23-2021

Q; Are you doing BGP ?

Q; is the 187.210.x.x/xx advertised to both ISP?

if you answer yes to both then set the vip interface to ANY

config firewall vip edit "VIP-ANY1" set mappedip "172.16.1.1" set extintf "any" next end

Then run a "diag debug flow" against the target and monitor.

Ken Felix

SCTG-MS

PCNSE

NSE

StrongSwan

Cruz2019 · ‎02-23-2021

I do not use bgp, my web server is published only by my main ISP which is 187.210.xx / xx, my intention is to publish it in my second ISP but I do not know how to do it, this in order that when my main ISP fails my secondary ISP take your place automatically so as not to lose the published service,

emnoc · ‎02-23-2021

That would be impossible if your 2nd ISP does not originate the prefix. You could publish 2x VIP one with x.x.x.x -map-to-server and y.y.y.y-map-to-server for the webservice services.

Ken Felix

PCNSE

NSE

StrongSwan

Cruz2019 · ‎02-24-2021

What are the options I have, to carry out this action, the purpose is to publish my server so that it is available in the 2 ISPs, or if it is possible to do so.
I have SDWAN for internal connections and I would like to have something similar for external connections, to have high availability

emnoc · ‎02-24-2021

Will if that's the case, you need a 2 vips

config firewall vip edit "ISP1" set extip x.x.x.x set extintf "wan1" set mappedip "172.16.1.1" next edit "ISP2" set extip y.y.y.y set extintf "wan2" set mappedip "172.16.1.1" next end

Put both vips into a vipgrp and place that into a policy. Now here's the kicker you need to test it, with SDWAN it is possible the server might want to route out the wrong interface.

So I would test VIP1 diag sniffer packet wan1 "host x.x.x.x" and confirm two-way traffic. And lastly you would need 2 A records

eg

www.example.com has address x.x.x.x www.example.com has address y.y.y.y

if you have gslb/gtm you can probably add that to your mix and controlled it by one of these 2 but I'm assuming you do not.

But it's impossible to use one address for both ISP1/2

Ken Felix

PCNSE

NSE

StrongSwan

Cruz2019 · ‎02-24-2021

The current configuration and with which the VIP is working with my main ISP or WAN 1 is the following:
I have the following VIP configured:
Name: SRV-MyCompany
Interface: WAN1
External IP ddress / range: 187.210.xxx.xx
Mapped IP address / range: 172.16.1.xx

And the Policy
Name: VIP-Myserver
Incoming Interface: SDWAN (All my ISP)
Outgoing Interface: Local Network
Source: All
Destination: SRV-MyCompany

With this configuration it worked perfectly, both for internal and external connections, I already have another ISP added to my Forigate "WAN2", I want the server that I have published in "WAN1" to also publish in "WAN2" because every time my WAN1 goes down, all connections to my server are lost, this issue is somewhat complex for me because I do not fully master it.
I don't kno

w how to do these configurations, if I have to create another VIP, which IP's it should carry or if something additional is required.
It is worth mentioning that my main ISP gives me 8 public IP addresses, but the second one only gives me one.

VIP with different external ip

Nominate a Forum Post for Knowledge Article Creation