topic Re: ASA 5506-X - Dual ISP Redundancy in Network Security

ASA 5506-X - Dual ISP Redundancy

lmoss843 — Thu, 03 Dec 2020 05:54:10 GMT

I have a client that would like to add a second WAN connection to there ASA 5506-X. They would like to make there current WAN link as the backup and the new WAN link as the primary. I have been testing in my home lab but I am a little confused. I am able to successfully configure WAN failover from primary to backup. However, when I attempt to do the reverse, it does not work. Is it possible to have the interface nameif backup as the PRIMARY link and the nameif outside interface as the BACKUP link? I have tried to complete this in my home lab but it doesn't seem to failover. Can anyone provide some insight? Thanks

ASA Version 9.5(1)
!
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet1/1
description Backup
nameif outside
security-level 0
ip address 3.3.3.1 255.255.255.252
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
description Primary
nameif backup
security-level 0
ip address 5.5.5.1 255.255.255.252
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list TEST extended permit ip 192.168.2.0 255.255.255.0 any log
access-list TEST extended permit icmp 192.168.2.0 255.255.255.0 any
access-list TEST extended permit icmp any any traceroute
access-list TEST extended permit icmp any any echo
access-list TEST extended permit icmp any any echo-reply
pager lines 24
mtu outside 1500
mtu inside 1500
mtu backup 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group TEST global
route backup 0.0.0.0 0.0.0.0 5.5.5.2 1 track 1
route outside 0.0.0.0 0.0.0.0 3.3.3.2 200
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
sla monitor 1
type echo protocol ipIcmpEcho 5.5.5.2 interface backup
num-packets 3
frequency 10
sla monitor schedule 1 life forever start-time now
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
!
track 1 rtr 1 reachability
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd address 192.168.2.51-192.168.2.95 inside
dhcpd enable inside

Re: ASA 5506-X - Dual ISP Redundancy

Rob Ingram — Thu, 03 Dec 2020 07:52:23 GMT

Hi @lmoss843

What bit is not working exactly? Please provide the output of the following commands:

show sla monitor operational-state

show track

show route

You don't appear to have any NAT rules, is that correct?

Re: ASA 5506-X - Dual ISP Redundancy

lmoss843 — Thu, 03 Dec 2020 13:31:16 GMT

Thanks Rob for assisting. Correct. I don't have any NAT rules. This is a setup in my test lab. I have the nameif backup set as the primary and the nameif outside set as the backup. It does not failover to the nameif outside link if I unplug the primary. Is it possible to have the nameif outside link as the failover?

ASA1# show sla monitor operational-state
Entry number: 1
Modification time: 22:56:41.941 UTC Wed Dec 2 2020
Number of Octets Used by this Entry: 2056
Number of operations attempted: 2914
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: FALSE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): 1
Latest operation start time: 07:02:11.942 UTC Thu Dec 3 2020
Latest operation return code: OK
RTT Values:
RTTAvg: 1 RTTMin: 1 RTTMax: 1
NumOfRTT: 3 RTTSum: 3 RTTSum2: 3

ASA1# show track
Track 1
Response Time Reporter 1 reachability
Reachability is Up
7 changes, last change 07:37:27
Latest operation return code: OK
Latest RTT (millisecs) 1
Tracked by:
STATIC-IP-ROUTING 0

Gateway of last resort is 5.5.5.2 to network 0.0.0.0

S* 0.0.0.0 0.0.0.0 [1/0] via 5.5.5.2, backup
C 3.3.3.0 255.255.255.252 is directly connected, outside
L 3.3.3.1 255.255.255.255 is directly connected, outside
C 5.5.5.0 255.255.255.252 is directly connected, backup
L 5.5.5.1 255.255.255.255 is directly connected, backup
C 192.168.2.0 255.255.255.0 is directly connected, inside
L 192.168.2.1 255.255.255.255 is directly connected, inside

Re: ASA 5506-X - Dual ISP Redundancy

Rob Ingram — Thu, 03 Dec 2020 13:37:40 GMT

So if you shutdown the primary interface on the ASA or the upstream router.

What is the output of those commands then (give it a minute of so to failover or not!) Please provide the output

Re: ASA 5506-X - Dual ISP Redundancy

lmoss843 — Thu, 03 Dec 2020 13:47:37 GMT

It does not failover.

ASA1# show sla monitor operational-state
Entry number: 1
Modification time: 22:56:41.941 UTC Wed Dec 2 2020
Number of Octets Used by this Entry: 2056
Number of operations attempted: 3012
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: TRUE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): NoConnection/Busy/Timeout
Latest operation start time: 07:18:21.942 UTC Thu Dec 3 2020
Latest operation return code: Timeout
RTT Values:
RTTAvg: 0 RTTMin: 0 RTTMax: 0
NumOfRTT: 0 RTTSum: 0 RTTSum2: 0

ASA1# show track
Track 1
Response Time Reporter 1 reachability
Reachability is Down
8 changes, last change 00:05:49
Latest operation return code: Timeout
Tracked by:
STATIC-IP-ROUTING 0

Gateway of last resort is 3.3.3.2 to network 0.0.0.0

S* 0.0.0.0 0.0.0.0 [200/0] via 3.3.3.2, outside
C 3.3.3.0 255.255.255.252 is directly connected, outside
L 3.3.3.1 255.255.255.255 is directly connected, outside
C 192.168.2.0 255.255.255.0 is directly connected, inside
L 192.168.2.1 255.255.255.255 is directly connected, inside

Re: ASA 5506-X - Dual ISP Redundancy

Rob Ingram — Thu, 03 Dec 2020 13:52:30 GMT

Yes, it does, the default route is now via outside

Gateway of last resort is 3.3.3.2 to network 0.0.0.0

S* 0.0.0.0 0.0.0.0 [200/0] via 3.3.3.2, outside

Re: ASA 5506-X - Dual ISP Redundancy

lmoss843 — Thu, 03 Dec 2020 14:13:12 GMT

That is what is confusing me. I also have a continuous ping running to the dest address and it times out with no replies.

Re: ASA 5506-X - Dual ISP Redundancy

Rob Ingram — Thu, 03 Dec 2020 14:26:13 GMT

What is the routing table of the destination? It is probably routing back to the wrong interface

If you had NAT in place, traffic would now be hidden behind the outside interface rather than the other interface. Add the following NAT, as I assume in production (outside of this lab) you'd rely on NAT anyway?

nat (inside,outside) after-auto source dynamic any interface
nat (inside,backup) after-auto source dynamic any interface

Re: ASA 5506-X - Dual ISP Redundancy

lmoss843 — Fri, 04 Dec 2020 00:11:43 GMT

Thanks Rob for all of your help. The routing table on the destination was
misconfigured. It's working as it should now. Thanks