We recently put in a secondary internet connection across the state. I have the primary connection coming into our main office. Both connections come in to ASA's that are set up in a failover pair.
Topology Between Connections
Primary ISP > 4500x > ASA Via VRF > Back to 4500x > | Layer 2 ISP link to second site | > 2960x > Secondary ASA > Secondary ISP
Secondary ISP uses a different set of external IP addresses. Failover is connected via port 4 on each ASA across the network on VLAN 2. The ASAs see each other and are passing configurations between each other. Here is what I am missing - Primary ISP comes in on g0/0 on primary ASA. Secondary ISP comes in on g0/5 on the secondary ASA. I have an SLA and tracking on the primary static route, but when the primary ISP link goes down, I cannot get traffic to flow to the secondary ISP. My thought process was when the main link on the primary ASA goes down, it would go into failover, making the standby active. Because the backup ISP is the only link that is up on that ASA, it would take over, but that is obviously not the case.
I can post configs if necessary, but I am really just looking for the theory behind what I am missing! As always thank you to everyone out there!
There are several things in your post that are not clear to me. Am I correct in understanding that you have a pair of ASA configured for traditional active/standby failover pair? Are the ASAs operating in single context mode or in multi context mode? In this case to get traffic to flow to the standby ASA (to be sent to ISP2) there needs to be a failover event on the primary ASA.
I am also not clear about SLA and tracking on the primary static route. What is SLA monitoring? If SLA detects a failure does anything else happen other than withdrawal of the primary static route?
Yes, they are in a tradition A/S setup. I believe single context but I am not sure. I never explicitly set up multi so I have to assume (I am not familiar with this honestly). I reached out to TAC and they are claiming that it is not possible because the standby is considered failed as it does not have an "UP" interface for ISP1. They said it has to be exactly the same, including and additional interfaces. This means I am going to have to rethink this - thank you for the help though.
Thanks for the update. I have been thinking about how it could work to have traditional active/standby pair but have different addresses for the outside. I am glad to know that TAC believes that this would not work. Let us know as your thinking about this progresses. It seems to me that one option would be to use the 2 ASA not as a failover pair but as 2 stand alone firewalls. Each ASA would connect to an ISP and you could use some routing protocol to direct traffic to one or to the other ASA.
The configuration you describe would not be supported. As noted by Rick and TAC, the configurations must be the same on both ASAs.
You could possibly hack together a way to make it work by something like a "dummy" SVI on an upstream switch at each site - put in a fake duplicate of the ISP2 address at site 1 and vice versa at site 2. Combine that with an ip sla tracking so that you look for an Internet based resource and thus never actually use the fake path on either side. that would be ugly though and I definitely would NOT recommend it for production use.