topic Re: IP SLA/PBR behavior for Firepower in Network Security

IP SLA/PBR behavior for Firepower

ryan14 — Mon, 03 May 2021 14:48:35 GMT

We have an FTD with two ISPs where Guest traffic PBR policy uses the backup circuit. I am wondering though, is it possible to use IP SLA in conjunction with PBR so that if this circuit has issues, it falls back to the other circuit? Or is the PBR always going to be in effect?

Re: IP SLA/PBR behavior for Firepower

rschlayer — Mon, 03 May 2021 15:02:12 GMT

Hello @ryan14

You can configure an IP SLA track and add that track in the set clause of your route map. When the track goes down the device will route the device using normal route lookup.

See here: https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/route-policy-based.html#ID-2182-00000032

BR
Rick

Re: IP SLA/PBR behavior for Firepower

ryan14 — Mon, 03 May 2021 15:29:34 GMT

Thank you for that info. I'm still a little confused. If I have a default route pointing to the other (primary) circuit, and the ip sla responder is up (because the primary circuit is) how does the FTD check the availability of the backup circuit, if the default route on the FTD is sending traffic via the primary? Is there a way to specify the source interface?

Re: IP SLA/PBR behavior for Firepower

rschlayer — Fri, 07 May 2021 12:36:06 GMT

In the IP SLA Track you define the interface to use for pinging, if the interface is down, or the GW for that Interface is down, the ping fails and therefore the track fails.