Thanks, so the IP SLA will monitor if the standby route is available for this policy based route and if not revert to the using the primary router?

Hi,

Do you have an example of the route map and does it go on the inside or outside interface?

Thanks so much for your reply as I'm almost ready.

Can you just proof  read this before I apply. I want to just test this against my laptop IP first before applying to a subnet:

This public IPs are slightly different and now I'm in the office I have been able to check what they end in.

ASA interfaces are:

interface GigabitEthernet1/1
nameif outside
security-level 0
ip address x.x.x.66 255.255.255.224 standby x.x.x.67
ospf cost 10
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 172.x.10.1 255.255.255.0 standby 172.x.10.2
ospf cost 10

ISP routers
Standby Router x.x.x.75
Primary Router x.x.x.74
HSRP x.x.x.65

172.x.140.37 is me

IP SLA

This is to track the standby router is reachable.

sla monitor 1
type echo protocol ipIcmpEcho x.x.x.75 interface outside
num-packets
timeout
frequency
sla monitor schedule 1 life forever start-time now
track 1 rtr 1 reachability

ACL

This it the ACL the policy will only look at and is for my workstation and on tcp/80 and tcp/443 traffic only

access-list interesting_traffic extended permit tcp host 172.x.140.37 any eq http
access-list interesting_traffic extended permit tcp host 172.x.140.37 any eq https

Route Map

This route map will work only if the traffic is matching the ACLs called 'interesting_traffic' and if so set the next hop to the standby router of x.x.x.75, but only if it's reachable (track 1) and if it is not then it will fall back to x.x.x.65 which is the HSRP virtual IP of the 2 ISP routers.

route-map ISP1 permit 10
match ip address interesting_traffic
set ip next-hop verify-availability x.x.x.75 1 track 1
set ip next-hop x.x.x.65

Apply to interface

The above will only work once applied and to do this it has to be applied to the 'inside' interface and not the 'outside'

interface Gig1/2
policy-route route-map ISP1

Funny you say that I am using GNS3 for this.  Will let you know how it goes.

I use GNS3 all the time, best tool ever, especially for my exams etc.

This is what I will do, however I'm not sure if I should add a NAT and connect to my real work subnet, or somehow put a simple device beyond the ISP routers to test the policy?

Hello,

You could just place a router with loopback interface to simulate the Internet Address (E.g. 8.8.8.8). For example:

Oh and what useful show commands can I use to check the policy is working?

I guess I can also capture traffic on one of the links to the routers and watch in wireshark.

GNS3 is all running and the pings are hitting the remote device, but still taking the active HSRP path.

The route map is up too.

Had to reboot GNS3 and ping around to get things working.

If I ping from the PC on the inside I see it route via the active HSRP .74 IP and not .75.  What I do is run Wireshark on the link.

Because the remote device in GNS3 is a vPCS I have used this ACL, maybe it's not recognised?

access-list aw_interesting_traffic extended permit icmp host 172.x.x.37 any echo
access-list aw_interesting_traffic extended permit icmp host 172.x.x.37 any echo-reply