BGP with routing/monitoring question



  • We have 2 firewalls running CARP with BGP.
    Diverse path in the same data center.

    One circuit hits a Houston router, the other hits a Dallas router.

    Each firewall has 2 WAN interface with a /29 on each.

    We have a /25 that’s announced via BGP.
    One circuit is considered the primary.
    Fail over the secondary works fine if we reboot the primary or physically pull the cable.

    Monday the data center made a mistake and added a policy that pretty much black holed the BGP traffic.  The firewalls did not fail over to the second circuit.

    So how can we make that happen?

    If I set the monitoring IP to lets say 8.8.8.8 for both gateways on the firewalls then set packet loss thresholds to lets say 50% or other metric.  So if the primary firewall cant ping that IP it will consider the route to be down.

    Is it correct that the firewalls will update the BGP announcement to be the secondary circuit if that happens?



  • Any suggestion would be helpful.

    8.8.8.8 gives us a bit of packet loss.
    Any other suggestion on something to use for monitoring.