So, the other day ISP Router 1 lost it's connection to the Internet. Turns out that the problem was a faulty fiber in the station which we didn't know at the time. The backup router, ISP Router 2, kicked in but ASA1 was unaware since it's outside interface was still connected and up. I've spoken to the ISP but they say they can't automate a shutdown of the interface connected to the firewall if the fiber link goes down.
My question is if there is any other way to extend the failover function to also test if the HSRP address is reachable?
So having the ASA use IP SLA to track an upstream IP for connectivity is one way of doing it, you could then inject a default route with the DG specifically of router 2.
This is really a problem for your ISP to solve, I would think that in your contract they are providing you a failover service hence the 2 routers and HSRP.....
Are the ISP routers running BGP??? running BGP between the routers would provide the physical failover required.
Thanks for you reply Andrew.
I was pondering IP SLA. For the sake of the argument let's say router 1 has IP x.x.x.1, router 2 x.x.x.2 and HSRP has x.x.x.3. From ASA1 I can ping primary router on x.x.x.1 and x.x.x.3 as that is the active one. When it failed the HSRP adress naturally wasn't accessible as router 2 had taken over. I cannot ping router 2 on x.x.x.2 from the primary ASA so I assume that means IP SLA won't do. What I would've liked was if the ASA failover function could ping the HSRP adress and then do failover based on wheter the HSRP adress was reachable or not.
I have no idea if they are running BGP. I need to check that with them. They proivde both internet access and MPLS through the same routers and the MPLS is the reason we have the failover router. The MPLS failover worked which was the most important but it would be nice if failover worked on the firewalls as well.
stumbled upon this..
you could actually use eem on the router and create an applet with specific commands to shut the interface of the router which connects to the asa..