topic ASA, tracking, failover in Network Security

ASA, tracking, failover

scott.bridges — Mon, 11 Mar 2019 17:52:11 GMT

Hello,

I'm having a problem when I put in the tracking option on my default route, I lose connection all together.

I have a T1 (outside) used as primary connection, and a DSL line (backup) plugged in for a failover.

This is an ASA with the Security Plus package, so the failover option should be working.

route outside 0.0.0.0 0.0.0.0 1.2.3.1 1

route backup 0.0.0.0 0.0.0.0 7.8.9.1 254

These are my routes. When I try to put:

route outside 0.0.0.0 0.0.0.0 1.2.3.1 1 track 1

I completely lose connection. I've even tried "write mem" and "reload" hoping to bring up the connection.

Here is the config that pertains to the routes:

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.253 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 1.2.3.2 255.255.255.248

interface Vlan3

nameif backup

security-level 0

ip address 7.8.9.2 255.255.255.0

route outside 0.0.0.0 0.0.0.0 1.2.3.1 1

route backup 0.0.0.0 0.0.0.0 7.8.9.1 254

sla monitor 666

type echo protocol ipIcmpEcho 1.2.3.4 interface outside

num-packets 3

frequency 10

track 1 rtr 666 reachability

I haven't put in

sla monitor schedule 666 life forever start-time now

Yet because I want to make sure the default route works. My understanding is that just adding in "track 1" to the end of the route doesn't do anything until I activate the timer with the "sla monitor" line.

Any ideas as to which part of this feature I have wrong?

Re: ASA, tracking, failover

Kelvin Willacey — Fri, 28 May 2010 17:37:22 GMT

Have you verified if the track statement is up with "sh sla monitor operational-state"? Have you configured the global statement for the backup link?

Becasue if for whatever reason the track fails then the backup should take over as in your case. So verify those two things.

Re: ASA, tracking, failover

Panos Kampanakis — Sat, 29 May 2010 00:42:43 GMT

I would suggest following http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml#cli

The config will look like

---------------

route outside 0.0.0.0 0.0.0.0 1 track 1
route backup 0.0.0.0 0.0.0.0 254

sla monitor 123
type echo protocol ipIcmpEcho interface outside
num-packets 3
frequency 10

sla monitor schedule 123 life forever start-time now

track 1 rtr 123 reachability

---------------

I hope it helps.

Re: ASA, tracking, failover

scott.bridges — Fri, 11 Jun 2010 05:28:13 GMT

Thanks guys and sorry for the delay.

I didn't know about the show operational state command, which lead me to see that the ICMP was timing out.

I then just started from scratch, changed the instance to the example "123" exactly how it was in the post, and changed the test IP to the T1 lines' DNS server.

All worked after that point.

Thanks again. I was thinking I could change the "123", which I probably can, but I'll just keep it at default.