By using the IP SLA, you can configure failover when the primary tunnel is down.
Steps
-
Add a static route via the tunnel interface for the tunnel monitoring IP address:
ip route 116.50.59.230 255.255.255.255 Tunnel0
-
Configure the IP SLA objects.
ip sla 4
icmp-echo 116.50.59.230 source-interface Tunnel0
threshold 3000
timeout 30000
frequency 30
ip sla schedule 4 life forever start-time now
-
Track the IP SLA objects as the Event Manager uses IP SLA objects to trigger failover.
track 4 ip sla 4
delay down 10 up 10
-
Configure an Event Manager task to execute CLI commands for failover. Using this, traffic is directed to secondary tunnel when the primary tunnel is down and starts using the
primary tunnel when it is up and healthy.
event manager session cli username <username>
event manager applet failover_if_primary_tunnel_goes_down
event track 4 state down
action 001 cli command "conf t"
action 002 cli command "interface <incoming_interface>"
action 003 cli command "ip policy route-map Secondary_Tunnel"
action 004 cli command "end"
action 005 cli command "exit"
event manager applet route_back_to_primary_when_available
event track 4 state up
action 001 cli command "conf t"
action 002 cli command "interface <incoming_interface>"
action 003 cli command "ip policy route-map Primary_Tunnel"
action 004 cli command "end"
action 005 cli command "exit"
- Replace the
<username> with the user name used for ssh/telnet to the device.
- Replace the
<incoming_interface> with the name of the ingress interface on your edge device.
Next steps
You can monitor the current status of the tunnel by pinging the tunnel Monitoring IP address present in the in Forcepoint ONE SSE portal.