Active/Standby Main ISP failover FAILED

KyleHB — Fri, 21 Feb 2020 16:04:19 GMT

Hi Experts,

I would like your help regarding my issue on my Active/Standby configuration on my ASA.

Here is my topology and configuration below to better understand:

ACTIVE ASA CONFIG

failover lan unit primary
failover lan interface FAILOVER gi0/3
failover interface ip FAILOVER 10.10.10.1 255.255.255.0 standby 10.10.10.2
failover key test.com
failover

failover link STATE gi0/4
failover interface IP STATE 20.20.20.1 255.255.255.0 standby 20.20.20.2

interface g0/0
channel-group 1 mode on
no nameif
no security-level

interface g0/1
nameif ISP1
securit-level 0
ip address 1.1.1.2 255.255.255.0

interface g0/2
nameif ISP2
security-level 0
ip address 2.2.2.1 255.255.255.0

interface port-channel 10
max lacp-bundle 8
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0 standby 192.168.0.2

route ISP1 0.0.0.0 0.0.0.0 1.1.1.1 1
route ISP2 0.0.0.0 0.0.0.0 2.2.2.2 10

STANDBY ASA CONFIG

failover lan unit secondary
failover lan interface FAILOVER gi0/3
failover interface ip FAILOVER 10.10.10.1 255.255.255.0 standby 10.10.10.2
failover key test.com
failover

My issue is when I shut down my INSIDE interface going to the STANDBY ASA and my OUTSIDE LINK going to the ISP 1 from my ACTIVE ASA, my inside link has no longer access to the internet. When I am in the L3 Switch and I tried to ping the ASA IP (192.168.0.1) I am no longer able to ping it.

I expect that since the main ISP which is ISP 1 on STANDBY ASA is still active, the traffic should go there. However, it does not. it does not even go to the backup ISP which is ISP 2 on my ACTIVE ASA.

But if I do it vice versa (shutdown the INSIDE link going to ACTIVE ASA and OUTSIDE link from my STANDBY ASA going to ISP 1) it works. The traffic is still passing thru ISP 1.

Here is an example:

Thanks in advance!

Kyle

Re: Active/Standby Main ISP failover FAILED

Francesco Molino — Wed, 08 Aug 2018 03:10:54 GMT

Based on my understanding, ISP 1 is your primary isp and ISP 2 your secondary.

First of all, i would configure tracking on your primary default route which will trigger the secondary default route being installed in your asa RIB if your tracking is down. You can use what ever ip on the internet like Google dns.

Then ensure which interface you're monitoring and if you configured monitor interface-policy feature. You don't want to failover the secondary unit if only isp1 goes down.

Now, on your scenario, can you confirm which asa is the active one when shutting down isp1?

If a failover occurs when isp 1 is down and you shut the inside interface on asa 2, traffic won't go through asa 1 to come back to asa 2.

topic Active/Standby Main ISP failover FAILED in Network Security

Active/Standby Main ISP failover FAILED

Re: Active/Standby Main ISP failover FAILED