SSG350M - Firmware 6.3 - Dual ISP - Routing Issue - Failover

Hi All,

After setting up a SSG350M active/passive cluster, I am running into the problem, that I´m not able to figure out, how to configure a dual ISP routing configuration. Both ISPs are bound to UNTRUST eth0/2.5 and eth0/2.6 with default routes configured...

What´s the best sample config to make eth0/2.5 the primary route and eth0/2.6 the backup, if eth0/2.5 fails?

All TRUST segments are bound to sub-interfaces eth0/0.x.

But when two default routes are configured with different preferences, the primary keeps active and does not switch to the backup route... :-(

Configuration:

get interface

Interfaces in vsys Root:
Name IP Address Zone MAC VLAN State VSD
eth0/0 0.0.0.0/0 Trust 0010.dbff.2000 - U 0
eth0/0.10 10.0.10.254/24 Trust 0010.dbff.2000 10 U 0
eth0/1 0.0.0.0/0 DMZ 0010.dbff.2050 - U 0
eth0/2 0.0.0.0/0 Untrust 0010.dbff.2060 - U 0
eth0/2.5 212.60.218.50/28 Untrust 0010.dbff.2060 5 U 0
eth0/2.6 192.168.61.21/24 Untrust 0010.dbff.2060 6 D 0
eth0/3 0.0.0.0/0 HA 288a.1c4e.ca67 - U -
vlan1 0.0.0.0/0 VLAN 0010.dbff.20f0 1 D 0
null 0.0.0.0/0 Null N/A - U 0

get route

IPv4 Dest-Routes for <trust-vr> (8 entries)
--------------------------------------------------------------------------------------
ID IP-Prefix Interface Gateway P Pref Mtr Vsys
--------------------------------------------------------------------------------------
* 4 212.60.218.50/32 eth0/2.5 0.0.0.0 H 0 0 Root
* 7 0.0.0.0/0 eth0/2.5 212.60.218.49 S 50 1 Root
* 8 0.0.0.0/0 eth0/2.6 192.168.61.254 S 20 1 Root
* 3 212.60.218.48/28 eth0/2.5 0.0.0.0 C 0 0 Root
* 6 192.168.61.21/32 eth0/2.6 0.0.0.0 H 0 0 Root
* 5 192.168.61.0/24 eth0/2.6 0.0.0.0 C 0 0 Root
* 2 10.0.10.254/32 eth0/0.10 0.0.0.0 H 0 0 Root
* 1 10.0.10.0/24 eth0/0.10 0.0.0.0 C 0 0 Root

get config | incl route

set vrouter trust-vr sharable
set vrouter "untrust-vr"
set vrouter "trust-vr"
unset auto-route-export
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set interface ethernet0/2.5 route
set interface ethernet0/2.6 route
unset flow reverse-route clear-text
set flow reverse-route tunnel always
set vrouter "untrust-vr"
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet0/2.5 gateway 212.60.218.49 preference 50 tag 5 description "QSC UPLINK"
set route 0.0.0.0/0 interface ethernet0/2.6 gateway 192.168.61.254 preference 20 tag 6 description "T-COM UPLINK"
set vrouter "untrust-vr"
set vrouter "trust-vr"

Any suggestions?