https://community.cisco.com/t5/network-security/asa5510-backup-isp-interface-does-not-failback/m-p/2173259#M359514 <P><BR />Cisco ASA 5510 ASA 8.2(5)<BR />Set up the backup ISP per <BR /><A href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/produ" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml</A></P><P>Basically vanilla configuration</P><P>The SLA Target is the DG of the Primary Outside Interface - <BR />The interface will fall over to backup ISP (a DHCP interface). We have seen this occur when APPLYing a change via Cisco ASDM as well as 'planned' cutovers). <BR />The issue is that it does not fall back when the SLA Monitor sees the Target. <BR /><EM>sla monitor operational-state </EM>reflects a <BR /><EM>Latest Operation return code: ok</EM>. </P><P>However the <EM>show route </EM>reflects the backup route. <BR />The way I get it back is by bringing down the backup interface. <BR />I thought the following may be helpful: <BR /><A href="http://www.cisco.com/en/US/products/ps6120/products_tech_no" target="_blank">http://www.cisco.com/en/US/products/ps6120/products_tech_no</A>te09186a0080bc8549.shtml<BR />But this reflects a situation in which the routing table is rebuilt and the original Primary gateway is reinstated. <BR />Again, our route table does not reflect the Primary (until I pull the cable). </P><P>One thing I did notice, now, is that the routing table (with the backup) does not show as a S* but d* (lowercase </P><P>d, not capital D for EIGRP) </P><P>C&nbsp;&nbsp;&nbsp; 192.168.29.0 255.255.255.0 is directly connected, </P><P>inside<BR />C&nbsp;&nbsp;&nbsp; 50.196.236.120 255.255.255.248 is directly connected, </P><P>outside<BR />C&nbsp;&nbsp;&nbsp; 192.168.39.0 255.255.255.0 is directly connected, dmz<BR />C&nbsp;&nbsp;&nbsp; 192.168.1.0 255.255.255.0 is directly connected, </P><P>Backup<BR />d*&nbsp;&nbsp; 0.0.0.0 0.0.0.0 [1/0] via 192.168.1.254, Backup</P><P></P><P>Wondering what would resolve the issue, so the ASA failbacks to the Primary once it is recognized. </P> Tue, 12 Mar 2019 01:19:24 GMT OSG_DanCisco 2019-03-12T01:19:24Z https://community.cisco.com/t5/network-security/asa5510-backup-isp-interface-does-not-failback/m-p/2173259#M359514 <P><BR />Cisco ASA 5510 ASA 8.2(5)<BR />Set up the backup ISP per <BR /><A href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/produ" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml</A></P><P>Basically vanilla configuration</P><P>The SLA Target is the DG of the Primary Outside Interface - <BR />The interface will fall over to backup ISP (a DHCP interface). We have seen this occur when APPLYing a change via Cisco ASDM as well as 'planned' cutovers). <BR />The issue is that it does not fall back when the SLA Monitor sees the Target. <BR /><EM>sla monitor operational-state </EM>reflects a <BR /><EM>Latest Operation return code: ok</EM>. </P><P>However the <EM>show route </EM>reflects the backup route. <BR />The way I get it back is by bringing down the backup interface. <BR />I thought the following may be helpful: <BR /><A href="http://www.cisco.com/en/US/products/ps6120/products_tech_no" target="_blank">http://www.cisco.com/en/US/products/ps6120/products_tech_no</A>te09186a0080bc8549.shtml<BR />But this reflects a situation in which the routing table is rebuilt and the original Primary gateway is reinstated. <BR />Again, our route table does not reflect the Primary (until I pull the cable). </P><P>One thing I did notice, now, is that the routing table (with the backup) does not show as a S* but d* (lowercase </P><P>d, not capital D for EIGRP) </P><P>C&nbsp;&nbsp;&nbsp; 192.168.29.0 255.255.255.0 is directly connected, </P><P>inside<BR />C&nbsp;&nbsp;&nbsp; 50.196.236.120 255.255.255.248 is directly connected, </P><P>outside<BR />C&nbsp;&nbsp;&nbsp; 192.168.39.0 255.255.255.0 is directly connected, dmz<BR />C&nbsp;&nbsp;&nbsp; 192.168.1.0 255.255.255.0 is directly connected, </P><P>Backup<BR />d*&nbsp;&nbsp; 0.0.0.0 0.0.0.0 [1/0] via 192.168.1.254, Backup</P><P></P><P>Wondering what would resolve the issue, so the ASA failbacks to the Primary once it is recognized. </P> Tue, 12 Mar 2019 01:19:24 GMT https://community.cisco.com/t5/network-security/asa5510-backup-isp-interface-does-not-failback/m-p/2173259#M359514 OSG_DanCisco 2019-03-12T01:19:24Z https://community.cisco.com/t5/network-security/asa5510-backup-isp-interface-does-not-failback/m-p/2173260#M359517 <HTML><HEAD></HEAD><BODY><P>Mind sharing the sla and interface configuration? The output of the "<STRONG>show route</STRONG>" command will be useful too.</P><P>Also the " <STRONG>sho sla monitor operational-state</STRONG>" output.</P><P></P><P>The "<STRONG>d*</STRONG>" letter you see is used for routes learned via DHCP.</P></BODY></HTML> Fri, 29 Mar 2013 20:24:56 GMT https://community.cisco.com/t5/network-security/asa5510-backup-isp-interface-does-not-failback/m-p/2173260#M359517 jocamare 2013-03-29T20:24:56Z https://community.cisco.com/t5/network-security/asa5510-backup-isp-interface-does-not-failback/m-p/2173261#M359519 <HTML><HEAD></HEAD><BODY><P>Hello Dan,</P><P></P><P>Can you share your show run?</P><P></P><P>I would like to see if you have ip verify enable,</P><P></P><P>Regar<SPAN style="font-size: 10pt;">ds</SPAN></P></BODY></HTML> Fri, 29 Mar 2013 23:09:12 GMT https://community.cisco.com/t5/network-security/asa5510-backup-isp-interface-does-not-failback/m-p/2173261#M359519 Julio Carvajal 2013-03-29T23:09:12Z