Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2886
Views
1
Helpful
6
Replies

ASA 5505 Dual WAN - Ping inactive wan from outside?

Go to solution
Dustin Barnett
Level 1
Level 1

‎02-20-2014 11:51 AM - edited ‎03-11-2019 08:48 PM

I currently have some small branch offices using ASA 5505 with Security Plus license and dual wan connections. They are configured wil an sla monitor so if the primary WAN goes down the secondary connection becomes active. This works as expected, however...

I can't ping the non-active interface from an outside source. I beleive this is by design or due to some limitation on the 5505. The problem is that I don't know if the backup WAN connection is functioning normally without forcing the ASA to make it active. We use a flaky wireless connection for the backups. The problem recently bit me because both WAN connections were offline.

I'm looking for an easy way to monitor the inactive wan interface, preferably by pinging from an outside location. Is this possible?

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
lcambron
Level 3
Level 3

‎02-24-2014 06:05 PM

Hello,

This wont work because the ASA receives the ping on the backup link but has the default route pointing to the outside.

You would have to add a more spefic route for your IP.

Example:

If you want to ping coming from IP 1.1.1.1

route outside 0 0 x.x.1.1 1 track 1

route backup 0 0 x.x.2.2 250

route backup 1.1.1.1 255.255.255.255 x.x.2.2

Regards,

Felipe.

Remember to rate useful posts.

View solution in original post

6 Replies 6

Go to solution
Dustin Barnett
Level 1
Level 1

‎02-24-2014 12:00 PM

No activity... Is there a better area to post this question?

0 Helpful

Go to solution
Dustin Barnett
Level 1
Level 1
In response to Dustin Barnett

‎02-28-2014 11:57 AM

Thanks, this is exactly what I needed! I didn't realize it was a routing issue.

0 Helpful

Go to solution
lcambron
Level 3
Level 3

‎02-24-2014 06:05 PM

Hello,

This wont work because the ASA receives the ping on the backup link but has the default route pointing to the outside.

You would have to add a more spefic route for your IP.

Example:

If you want to ping coming from IP 1.1.1.1

route outside 0 0 x.x.1.1 1 track 1

route backup 0 0 x.x.2.2 250

route backup 1.1.1.1 255.255.255.255 x.x.2.2

Regards,

Felipe.

Remember to rate useful posts.

Go to solution
Samath Sot
Level 1
Level 1
In response to lcambron

‎08-23-2017 08:46 AM

Hello,
is it possible to make it ping reachable to both interface. ? when we change route , other interface not alternatly can not ping.
Thanks

0 Helpful

Go to solution
Pedro Vieira
Level 1
Level 1
In response to lcambron

‎09-14-2017 02:21 PM

Hi!

 

I'm having the same problem with my network. Please, give me a light here.

 

I have dual ISP and I want to monitor my backup interface, that has the ip address of 192.168.1.0.

 

My routes are like this

 

NET 0 0 192.168.0.1 1 track 1

VIVO 0 0 192.168.1.1 254

 

my inside network is 192.168.50.0

 

I want to monitor the backup interface while it's in standby, is it possible?

 

I've tryied to apply some routing configurations, but without success.

 

Could someone here help me with this?

Thanks

0 Helpful

Go to solution
lcambron
Level 3
Level 3

‎02-24-2014 06:45 PM

Hello,

Also be aware of CSCsy89178, telnet and ssh work to the backup but icmp doesnt.

Regards,

Felipe.

Remember to rate useful posts.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card