topic Re: Single ASA - dual ISP failover in Network Security

Single ASA - dual ISP failover

denis.ivitchev — Tue, 12 Mar 2019 08:46:42 GMT

I have single 5508 running v.9.5.

No router in front of the ASA.

Failover is set up as shown in the configuration below.

I have two questions, first, when primary ISP (Outside-TW) goes down and backup ISP (outside) becomes active, will it switch back automatically to primary ISP once it becomes available? Or am I missing some pieces in the config?

And second, what if the problem with primary ISP is further down the path than the gateway, how do I monitor both, the default gateway and for example 8.8.8.8?

Thank you.

interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 2.2.2.2 255.255.255.252
!
interface GigabitEthernet1/3
nameif Outside-TW
security-level 0
ip address 1.1.1.2 255.255.255.248

route outside 0.0.0.0 0.0.0.0 2.2.2.1 11 track 1
route Outside-TW 0.0.0.0 0.0.0.0 1.1.1.1 1 track 2

sla monitor 1
type echo protocol ipIcmpEcho 2.2.2.1 interface outside
frequency 10
sla monitor schedule 1 life forever start-time now

sla monitor 2
type echo protocol ipIcmpEcho 1.1.1.1 interface Outside-TW
frequency 10
sla monitor schedule 2 life forever start-time now

track 1 rtr 1 reachability
!
track 2 rtr 2 reachability

To answer your questions:

Rahul Govindan — Sat, 14 Jan 2017 00:39:32 GMT

To answer your questions:

1) Yes, the traffic should fail back over to the the primary ISP as the initial default route should show up back on the routing table. You config has a potential problem - both primary and backup default routes have the same metric (1). You should ideally have the backup route with a higher metric so that it takes effect only when the primary route is not longer present. You also do not need a track on your backup route as the route should always be up as backup. You can use the following guide as example:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118962-configure-asa-00.html

2) Keeping the tracking as 8.8.8.8 has an advantage of being to track both gateway and other devices in the path. But if you keep only gateway you cannot check anything beyond. Again, this is a call you have to take on what you want to track. My recommendation would be to track 8.8.8.8. In any case, test and make sure that the tracking does not keep going down with that config.

Re: Single ASA - dual ISP failover

sistematico — Tue, 07 Nov 2017 18:41:40 GMT

this is the Right configuration you need

sla monitor 9
type echo protocol ipIcmpEcho 8.8.8.8 interface Primary_ISP
num-packets 3
sla monitor schedule 9 life forever start-time now

track 9 rtr 9 reachability

route Primary_ISP 0.0.0.0 0.0.0.0 1.1.1.1 track 9
route Backup_ISP 0.0.0.0 0.0.0.0 2.2.2.2 10

the number "10" on the second routes is the AD which has to be higher than the primary but if you want autofailover you should never you the AD as 255 on the secondary route