Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
653
Views
0
Helpful
1
Replies

Active/Standby Main ISP failover FAILED

KyleHB
Level 1
Level 1

‎08-07-2018 07:32 PM - edited ‎02-21-2020 08:04 AM

Hi Experts,

 

I would like your help regarding my issue on my Active/Standby configuration on my ASA.

 

Here is my topology and configuration below to better understand:

 

active_standby.PNG

 

ACTIVE ASA CONFIG

 

failover lan unit primary
failover lan interface FAILOVER gi0/3
failover interface ip FAILOVER 10.10.10.1 255.255.255.0 standby 10.10.10.2
failover key test.com
failover

failover link STATE gi0/4
failover interface IP STATE 20.20.20.1 255.255.255.0 standby 20.20.20.2


interface g0/0
channel-group 1 mode on
no nameif
no security-level

 

interface g0/1
nameif ISP1
securit-level 0
ip address 1.1.1.2 255.255.255.0

 

interface g0/2
nameif ISP2
security-level 0
ip address 2.2.2.1 255.255.255.0

 

interface port-channel 10
max lacp-bundle 8
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0 standby 192.168.0.2

 

route ISP1 0.0.0.0 0.0.0.0 1.1.1.1 1
route ISP2 0.0.0.0 0.0.0.0 2.2.2.2 10

 

STANDBY ASA CONFIG

 

failover lan unit secondary
failover lan interface FAILOVER gi0/3
failover interface ip FAILOVER 10.10.10.1 255.255.255.0 standby 10.10.10.2
failover key test.com
failover

 

 

My issue is when I shut down my INSIDE interface going to the STANDBY ASA and my OUTSIDE LINK going to the ISP 1 from my ACTIVE ASA, my inside link has no longer access to the internet. When I am in the L3 Switch and I tried to ping the ASA IP (192.168.0.1) I am no longer able to ping it.

 

I expect that since the main ISP which is ISP 1 on STANDBY ASA is still active, the traffic should go there. However, it does not. it does not even go to the backup ISP which is ISP 2 on my ACTIVE ASA.

 

But if I do it vice versa (shutdown the INSIDE link going to ACTIVE ASA and OUTSIDE link from my STANDBY ASA going to ISP 1) it works. The traffic is still passing thru ISP 1.

 

Here is an example:

 

active_standby_fail.PNG

 

 Thanks in advance!

 

Kyle

 

 

 

 

 

0 Helpful
1 Reply 1

Francesco Molino
VIP Alumni
VIP Alumni

‎08-07-2018 08:10 PM

Hi

 

Based on my understanding, ISP 1 is your primary isp and ISP 2 your secondary.

First of all, i would configure tracking on your primary default route which will trigger the secondary default route being installed in your asa RIB if your tracking is down. You can use what ever ip on the internet like Google dns.

 

Then ensure which interface you're monitoring and if you configured monitor interface-policy feature. You don't want to failover the secondary unit if only isp1 goes down.

 

Now, on your scenario, can you confirm which asa is the active one when shutting down isp1? 

If a failover occurs when isp 1 is down and you shut the inside interface on asa 2, traffic won't go through asa 1 to come back to asa 2.

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card