cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1804
Views
0
Helpful
5
Replies

ASA Failover

M Rinaldy Aulia
Level 1
Level 1

Hi All,

 

I have a question during my project for ASA High Availability

Here's the topology :

Topology.JPG

 

The Failover already working, but one point was not working .

So if we remove cable from ISP 1 (orange cable / A), the traffic didn't go through ISP 2.

 

But if we shutdown manually connection of ASA - Switch Edge (Orange Cable / Point B) and automatically ASA Secondary Orange Cable will be shutdown due sync.. The traffic will working to ISP 2.

 

We are using 2 IP Route and SLA for the configuration

 

 

route Outside3 0.0.0.0 0.0.0.0 123.231.x.x 1 track 1
route Outside 0.0.0.0 0.0.0.0 202.159.x.x 2

sla monitor 1
 type echo protocol ipIcmpEcho 123.231.x.x interface Outside3
sla monitor schedule 1 life forever start-time now

track 1 rtr 1 reachability

 

 

Do you have any idea about this one? What I should to do for troubleshoot?

5 Replies 5

Deepak Kumar
VIP Alumni
VIP Alumni

Hi,

Try to make SLA timeout after some specific timing and packet drop as:

sla monitor 1
 type echo protocol ipIcmpEcho 123.231.x.x interface Outside3
num-packets 3
frequency 3

It will make SLA down after 9 to 12 seconds. 

 

Second Question: Are your both WAN links under the failover monitor? 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Hi Deepak,

 

Thank you.

i will confirm again at my customer site, for the timeout.

But As I remember, there’s already a timeout during the SLA.

 

because When I show route on ASA (if the cable from ISP1 - Switch Edge removed), route 0.0.0.0 0.0.0.0 already via ISP 2. And ASA can ping to internet

But from the user, we still can’t ping internet.

 

So we need to shutdown first Interface from ASA - Switch Edge (Traffic to ISP1)

 

No i didnt put monitor on interface WAN.

And the interface to ISP 1 and 2 doesnt have a standby IP, since availability

Hi,

As you said that you can ping the Internet via ISP2 but no internet on the client system then I am assuming some more testing as:

1. Is DNS working during this downtime?

2. Is Xlate table issue?

3. Is the system failover happening after disconnecting the cable?

4. Is routing table updating (as you can ping the internet using ISP2 so I don't think routing table issue? This may be due to SLA & tracker.

 

Could you check the above things and share running configuration with logs.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Hi Deepak,

 

1. Is DNS working during this downtime? I assuming the DNS working, but user no internet connection during ISP 1 Fail (without shutdown the interface). I only can ping the internet from ASA

2. Is Xlate table issue? I'm not yet touching this area.

3. Is the system failover happening after disconnecting the cable? No, failover not happening.

4. Is routing table updating (as you can ping the internet using ISP2 so I don't think routing table issue? This may be due to SLA & tracker // Yes, it's updating the 0.0.0.0 0.0.0.0 to ISP2 

 

Could you check the above things and share running configuration with logs.

Hi Deepak,

 

Attached the show run configuration

Review Cisco Networking for a $25 gift card