topic Re: ASA default route with tracking in Network Security

ASA default route with tracking

jlmickens — Fri, 21 Feb 2020 12:13:11 GMT

I'm working with a VPN link as a backup scenario in my lab. (See here for details.) I've got just about everything working. When the main link drops, the traffic reroutes to the VPN over the ASA and everything works great. The one last issue I'm having now is that I can't access the ASA directly from the HQ side. I need to be able to access these devices once they are in the field.

I believe this is due to the default route being the outside interface. When the main link is up and working, the traffic would have to route to the inside interface instead of the outside. As such, I'm trying to set up a default route with a monitor. The IP address I'm monitoring would only be accessible when the main link is up, via the inside interface (10.99.0.101 in the diagram above). When I try to add the monitored default route, I get:

(config)# route inside 0 0 10.107.0.1 track 101
ERROR: Cannot add route entry, conflict with existing routes

According to the documentation, this should be doable. I should be able to have up to three default routes. The only other default route is out the outside interface and is obtained via DHCP. A show route reveals:

C    24.53.128.0 255.255.224.0 is directly connected, outside
S    10.107.0.0 255.255.0.0 [1/0] via 10.107.0.1, inside
C    10.107.0.0 255.255.255.0 is directly connected, inside
S    10.99.0.0 255.255.255.0 [1/0] via 10.107.0.1, inside
d*   0.0.0.0 0.0.0.0 [1/0] via 24.53.128.1, outside

How can I get this set up so that the default route is inside when 10.99.0.101 is available and outside when it is not?

(ASA 5505 v8.3(2))

Re: ASA default route with tracking

cheungwaitim — Fri, 14 Jan 2011 03:27:58 GMT

Hi,

Take a look attached link, you can try add route accordingly.

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Tim

Re: ASA default route with tracking

jlmickens — Fri, 14 Jan 2011 13:26:45 GMT

I don't have access to that link.

Re: ASA default route with tracking

Panos Kampanakis — Fri, 14 Jan 2011 19:09:47 GMT

That is interesting.

If you track an outside ip address it all works right?

Can you open a case for this, we might need to fix it.

Re: ASA default route with tracking

jlmickens — Fri, 14 Jan 2011 21:11:32 GMT

I haven't tried tracking an outside ip address. I don't even set the default route in the config - it is set to obtain it from the DCHP server on the outside interface. I suppose I could try it on the outside interface as well.

The track commands themselves work fine as far as defining the ip to track, etc. I can see the connections being made for the pings to the ip address. It's just when I try to add the route that it fails.

I will probably not have time to mess with this until Monday.

Re: ASA default route with tracking

jlmickens — Tue, 18 Jan 2011 15:28:04 GMT

In trying to add a tracked route to the outside, it worked. By default, the metric is 128 when you add it like that. That got me to thinking - I was trying to add it with a metric of 1, so I checked the DCHP settings, and it was also set to a metric of 1. So, even though the documentation says you can have up to three default routes, apparently the key is that they can not have the same metric. Once I changed the metric of the DHCP default route to 10, I was able to add the inside default route with tracking at a metric of 1.

Re: ASA default route with tracking

Panos Kampanakis — Tue, 18 Jan 2011 15:33:00 GMT

Thank you for updating the community.