topic Re: Adding tracking to default route kills internet in redundant ISP setup in Network Security

Adding tracking to default route kills internet in redundant ISP setup

tim829 — Fri, 21 Feb 2020 17:46:20 GMT

I followed this guide about 6 months ago for configuring our ASA with a redundant backup ISP.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118962-configure-asa-00.html

At the time it worked great and I didn't have any issues. Now I'm trying to follow the same guide on a new Firewall and I can't get it to work! Whenever I add the tracking to the default route it kills all internet access. As soon as I remove the tracking from the route the Internet comes back up. The IP address I'm using in the tracking is 4.2.2.2 and I can ping it fine so I'm not sure why it's disabling the route as soon as I apply that change.

Thanks

Re: Adding tracking to default route kills internet in redundant ISP setup

Rob Ingram — Tue, 17 Dec 2019 21:25:27 GMT

Hi,
Please post your configuration (sla monitor, track, routes etc). Provide the output of "show sla monitor operational-state" and "show track 1"

Re: Adding tracking to default route kills internet in redundant ISP setup

balaji.bandi — Tue, 17 Dec 2019 21:25:41 GMT

Can you post the configuration and your IP SLA output to look at what is wrong?

what is the cause of failure ? not reachable destination?

May be I was thinking do you have ping allowed to the destination, but default FW is denies everything?

Re: Adding tracking to default route kills internet in redundant ISP setup

tim829 — Tue, 17 Dec 2019 21:35:21 GMT

Pretty much I just setup a ping going to 8.8.8.8 and as soon as I apply the tracker to the default internet route it kills the ping. Ping comes back up immediately after removing the tracker from the route.

config:
route outside 0.0.0.0 0.0.0.0 165.166.210.129 99 track 1
route backup 0.0.0.0 0.0.0.0 206.74.234.1 254

track 1 rtr 123 reachability

sla monitor 123
 type echo protocol ipIcmpEcho 4.2.2.2 interface outside
sla monitor schedule 123 life forever start-time now

outputs:
asa# show track 1
Track 1
  Response Time Reporter 123 reachability
  Reachability is Down
  1 change, last change 00:00:39
  Latest operation return code: Timeout
  Tracked by:
    STATIC-IP-ROUTING 0

asa# show sla monitor operational-state
Entry number: 123
Modification time: 16:30:48.136 EST Tue Dec 17 2019
Number of Octets Used by this Entry: 2056
Number of operations attempted: 1
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: TRUE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): NoConnection/Busy/Timeout
Latest operation start time: 16:30:48.137 EST Tue Dec 17 2019
Latest operation return code: Timeout
RTT Values:
RTTAvg: 0       RTTMin: 0       RTTMax: 0
NumOfRTT: 0     RTTSum: 0       RTTSum2: 0

Re: Adding tracking to default route kills internet in redundant ISP setup

Rob Ingram — Tue, 17 Dec 2019 21:39:01 GMT

Add "threshold 1" and "frequency 5" to your sla and try again.

Re: Adding tracking to default route kills internet in redundant ISP setup

tim829 — Tue, 17 Dec 2019 21:47:09 GMT

Update config:

asa# sh ru sla monitor
sla monitor 123
 type echo protocol ipIcmpEcho 4.2.2.2 interface outside
 num-packets 3
 threshold 1
 frequency 5
sla monitor schedule 123 life forever start-time now

Still nothing. I feel like it's something other than the actual sla config, makes no since that it immediately goes down after applying the tracker then immediately comes back up after removing it.

Re: Adding tracking to default route kills internet in redundant ISP setup

balaji.bandi — Tue, 17 Dec 2019 21:57:23 GMT

Other question is, is this single ASA or Active/Standby?

what is the version of code running on this ASA?

Re: Adding tracking to default route kills internet in redundant ISP setup

tim829 — Tue, 17 Dec 2019 21:58:44 GMT

Single ASA

ASA Version: 9.8(4)

Thanks

Re: Adding tracking to default route kills internet in redundant ISP setup

Rob Ingram — Tue, 17 Dec 2019 22:22:48 GMT

Are you restricting icmp to the ASA with the command "icmp deny....... outside"? This could filter the icmp responses and cause the track to drop instantly.

Re: Adding tracking to default route kills internet in redundant ISP setup

tim829 — Wed, 18 Dec 2019 01:49:43 GMT

I think that’s exactly what’s happening! On the previous firewall I allowed pinging from the outside and it worked fine! How can I just allow pinging (the responses) from 4.2.2.2 while blocking everything else?

Thanks!