Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1805
Views
0
Helpful
3
Replies

ASA Failover, tracking on IP

dan.sellberg
Level 1
Level 1

‎09-02-2011 12:42 AM - edited ‎03-11-2019 02:20 PM

failover.png

So, the other day ISP Router 1 lost it's connection to the Internet. Turns out that the problem was a faulty fiber in the station which we didn't know at the time. The backup router, ISP Router 2, kicked in but ASA1 was unaware since it's outside interface was still connected and up. I've spoken to the ISP but they say they can't automate a shutdown of the interface connected to the firewall if the fiber link goes down.

My question is if there is any other way to extend the failover function to also test if the HSRP address is reachable?

1 person had this problem
Labels:
0 Helpful
3 Replies 3

andrew.prince
Level 10
Level 10

‎09-02-2011 04:34 AM

Dan,

So having the ASA use IP SLA to track an upstream IP for connectivity is one way of doing it, you could then inject a default route with the DG specifically of router 2.

This is really a problem for your ISP to solve, I would think that in your contract they are providing you a failover service hence the 2 routers and HSRP.....

Are the ISP routers running BGP??? running BGP between the routers would provide the physical failover required.

0 Helpful

dan.sellberg
Level 1
Level 1
In response to andrew.prince

‎09-02-2011 04:47 AM

Thanks for you reply Andrew.

I was pondering IP SLA. For the sake of the argument let's say router 1 has IP x.x.x.1, router 2 x.x.x.2 and HSRP has x.x.x.3. From ASA1 I can ping primary router on x.x.x.1 and x.x.x.3 as that is the active one. When it failed the HSRP adress naturally wasn't accessible as router 2 had taken over. I cannot ping router 2 on x.x.x.2 from the primary ASA so I assume that means IP SLA won't do. What I would've liked was if the ASA failover function could ping the HSRP adress and then do failover based on wheter the HSRP adress was reachable or not.

I have no idea if they are running BGP. I need to check that with them. They proivde both internet access and MPLS through the same routers and the MPLS is the reason we have the failover router. The MPLS failover worked which was the most important but it would be nice if failover worked on the firewalls as well.

0 Helpful

mikull.kiznozki
Level 1
Level 1
In response to dan.sellberg

‎09-10-2012 10:24 PM

stumbled upon this..

you could actually use eem on the router and create an applet with specific commands to shut the interface of the router which connects to the asa..

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card