Re: ASA has to be failed over when primary ISP goes down.

THOMAS SANDOVAL · ‎04-05-2012

I have an outside 7206 router that is configured with BGP. Behind that I have an ASA 5520 with a failover. Everytime my primary ISP goes down I have to failover the ASA to restablish a connection to the secondary ISP. When the primary comes back on line I have to fail it over again. I have had Cisco TAC look at the ASA and they didn't see anything misconfigured on the ASA. Doesn't seem to be any problems with the router config either. Any Ideas on what could be causing this?

palomoj · ‎04-05-2012

its hard to tell without seeing diagram and configs from asa and router. my guess is you need to run ospf or eigrp between asa and router, advertise a default route from the router to asa for isp1 and then have a backup default route on the asa for isp2. the other less preferred method is using tracking on the asa for isp1 and isp2. again without seeing the diagram and configs its hard to tell.

cpembleton · ‎04-05-2012

Not exactly how failover works. Failover happens when there is an issue with the other asa not a path across the network. Even with route tracking or routing protocol the asa will not failover. That is just for route selection. Now if the primary router failed it would cause the asa interface to fail and a failover to the standby asa to occur.

Your 2 routers and 2 asa's need to be layer2 attached to each other. Then use route tracking or dynamic routing protocol. Asa will not failover but will be able to use alternate path when primary fails.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html#wp1079010

hth

Chad

Sent from Cisco Technical Support iPad App

palomoj · ‎04-05-2012

i understand how the asa hardware failover works =) thx

my very sentence is exactly how i approach every question posted here - you never know how you are going to interpret the question(s) upon reading them and you never know if the customer is going to state the problem(s) in a manner that doesn't require configuration snippets and/or diagram.

after my first glance (i obviously glazed over the fact there was a pair of asa's), i read it as if it were a problem with failing over to the isp2 circuit. but in any case, without having a diagram and configs - nothing is certain! configs and accurate diagram tells it all.

you mentioned primary router, but he only mentions *a* 7206 router (same mistake i made??misread/misinterpreted??

who knows until we have the right info).

THOMAS SANDOVAL · ‎04-06-2012

Thanks for your responses. Sorry, I'm new to this. Here are the configs and a simple pic of the primary asa and router the way thery are deployed. I've been dealing with issue for a while. Hoping to get some help here.

7206 router:

show runn
Building configuration...

Current configuration : 4678 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname lee-border
!
boot-start-marker
boot-end-marker
!
enable secret 5 **********************
!
no aaa new-model
ip subnet-zero
!
!
ip cef
ip name-server 206.77.62.152
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface GigabitEthernet0/1
description Univ. of Texas OTS for ISP and Inet2
no ip address
duplex full
speed 100
media-type rj45
negotiation auto
!
interface GigabitEthernet0/1.7
description Internet2 Access
encapsulation dot1Q 7
ip address 192.88.12.238 255.255.255.252
!
interface GigabitEthernet0/1.16
description THENet-Access
encapsulation dot1Q 16
ip address 207.80.110.134 255.255.255.252
!
interface GigabitEthernet0/1.743
description UT OTS TX-BB Peering
encapsulation dot1Q 743
ip address 192.124.228.114 255.255.255.252
!
interface GigabitEthernet0/2
description Phonoscope ISP Service
ip address 66.60.235.146 255.255.255.248
duplex full
speed 100
media-type rj45
negotiation auto
!
interface GigabitEthernet0/3
description Lee College Internal LANs
ip address 68.232.208.241 255.255.255.240 secondary
ip address 68.232.208.1 255.255.255.248
duplex full
speed auto
media-type rj45
negotiation auto
!
interface ATM1/0
no ip address
shutdown
no ima-group
no atm ilmi-keepalive
!
interface ATM1/1
no ip address
shutdown
no ima-group
no atm ilmi-keepalive
!
interface ATM1/2
no ip address
shutdown
no ima-group
no atm ilmi-keepalive
!
interface ATM1/3
no ip address
shutdown
no ima-group
no atm ilmi-keepalive
!
interface ATM1/4
no ip address
shutdown
no ima-group
no atm ilmi-keepalive
!
interface ATM1/5
no ip address
shutdown
no ima-group
no atm ilmi-keepalive
!
interface ATM1/6
no ip address
shutdown
no ima-group
no atm ilmi-keepalive
!
interface ATM1/7
no ip address
shutdown
no ima-group
no atm ilmi-keepalive
!
interface FastEthernet2/0
no ip address
shutdown
duplex half
!
interface FastEthernet4/0
no ip address
duplex auto
speed auto
!
interface FastEthernet4/1
no ip address
shutdown
duplex auto
speed auto
!
router bgp 46094
no synchronization
bgp log-neighbor-changes
network 68.232.208.0 mask 255.255.240.0
network 198.216.112.0 mask 255.255.252.0
network 207.80.120.0 mask 255.255.252.0
neighbor 66.60.235.145 remote-as 22442
neighbor 66.60.235.145 description Phonoscope
neighbor 66.60.235.145 next-hop-self
neighbor 66.60.235.145 send-community
neighbor 66.60.235.145 version 4
neighbor 66.60.235.145 soft-reconfiguration inbound
neighbor 66.60.235.145 route-map Lee-out out
neighbor 192.88.12.237 remote-as 276
neighbor 192.88.12.237 description Internet2 Peering
neighbor 192.88.12.237 send-community
neighbor 192.88.12.237 version 4
neighbor 192.88.12.237 route-map I2-in in
neighbor 192.88.12.237 route-map Lee-I2-out out
neighbor 192.88.12.237 password 7 132C4546070901
neighbor 192.124.228.113 remote-as 6922
neighbor 192.124.228.113 description UT-Commodity
neighbor 192.124.228.113 send-community
neighbor 192.124.228.113 soft-reconfiguration inbound
neighbor 192.124.228.113 route-map OTS-in in
neighbor 192.124.228.113 route-map OTS-out out
no auto-summary
!
ip default-gateway 192.124.228.113
ip classless
ip route 68.232.208.0 255.255.240.0 Null0 250
ip route 68.232.209.0 255.255.255.0 68.232.208.2
ip route 68.232.211.0 255.255.255.0 68.232.208.2
ip route 68.232.212.0 255.255.252.0 68.232.208.2
ip route 68.232.216.0 255.255.248.0 68.232.208.2
ip route 198.216.112.0 255.255.252.0 Null0 250
ip route 198.216.113.0 255.255.255.0 198.216.115.1
ip route 198.216.114.0 255.255.255.0 198.216.115.1
ip route 207.80.8.0 255.255.255.0 198.216.115.1
ip route 207.80.120.0 255.255.252.0 Null0 250
ip route 207.80.120.0 255.255.255.0 198.216.115.1
ip route 207.80.121.0 255.255.255.0 198.216.115.1
ip route 207.80.122.0 255.255.255.0 198.216.115.1
ip route 207.80.123.0 255.255.255.0 198.216.115.1
no ip http server
!
!
access-list 90 permit 68.232.208.0 0.0.15.255
access-list 90 deny any
access-list 91 permit 198.216.112.0 0.0.3.255
access-list 91 permit 207.80.112.0 0.0.15.255
access-list 91 deny any
!
route-map OTS-out permit 10
match ip address 90
!
route-map Lee-out permit 10
match ip address 90
!
route-map I2-in permit 10
set local-preference 200
!
route-map Lee-I2-out permit 10
match ip address 90
!
route-map Lee-I2-out permit 20
match ip address 91
!
route-map OTS-in permit 10
set local-preference 150
!
!
!
!
!
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password 7 *****************
login
!
!
end

ASA (Primary)

logging permit-hostdown

mtu Outside 1500

mtu inside 1500

mtu LeeDMZ 1500

mtu management 1500

failover

failover lan unit secondary

failover lan interface failover GigabitEthernet0/3

failover link failover GigabitEthernet0/3

failover interface ip failover 172.16.1.1 255.255.255.0 standby 172.16.1.2

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any LeeDMZ

asdm image disk0:/asdm-623.bin

no asdm history enable

arp timeout 14400

global (Outside) 1 68.232.211.1-68.232.223.253

global (Outside) 1 interface

global (Outside) 1 68.232.223.254

global (Outside) 2 68.232.209.25

global (LeeDMZ) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0 tcp 16384 12000

nat (LeeDMZ) 2 access-list NAT_NEW_ISA

nat (LeeDMZ) 1 192.168.10.0 255.255.255.0

static (inside,Outside) 68.232.209.10 10.1.200.253 netmask 255.255.255.255

static (inside,LeeDMZ) 10.1.0.0 10.1.0.0 netmask 255.255.0.0

static (inside,LeeDMZ) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

static (inside,Outside) 68.232.209.53 10.1.254.3 netmask 255.255.255.255

static (LeeDMZ,Outside) 68.232.209.5 192.168.10.5 netmask 255.255.255.255

static (LeeDMZ,Outside) 68.232.209.6 192.168.10.6 netmask 255.255.255.255

static (LeeDMZ,Outside) 68.232.209.51 192.168.10.51 netmask 255.255.255.255

static (LeeDMZ,Outside) 68.232.209.37 192.168.10.37 netmask 255.255.255.255

static (LeeDMZ,Outside) 68.232.209.75 192.168.10.75 netmask 255.255.255.255

static (LeeDMZ,Outside) 68.232.209.101 192.168.10.101 netmask 255.255.255.255

static (inside,LeeDMZ) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

static (LeeDMZ,Outside) 68.232.209.102 192.168.10.102 netmask 255.255.255.255

static (LeeDMZ,Outside) 68.232.209.38 192.168.10.38 netmask 255.255.255.255

static (LeeDMZ,Outside) 68.232.209.23 192.168.10.23 netmask 255.255.255.255

static (inside,Outside) 68.232.209.136 10.1.7.37 netmask 255.255.255.255

static (LeeDMZ,Outside) 68.232.209.111 192.168.10.111 netmask 255.255.255.255

static (inside,Outside) 68.232.209.8 10.1.13.8 netmask 255.255.255.255

static (LeeDMZ,Outside) 68.232.209.103 192.168.10.103 netmask 255.255.255.255

static (LeeDMZ,Outside) 68.232.209.92 192.168.10.92 netmask 255.255.255.255

static (inside,Outside) 68.232.209.4 10.1.6.2 netmask 255.255.255.255

static (LeeDMZ,Outside) 68.232.209.219 192.168.10.219 netmask 255.255.255.255

static (LeeDMZ,Outside) 68.232.209.217 192.168.10.217 netmask 255.255.255.255

static (LeeDMZ,Outside) 68.232.209.206 192.168.10.206 netmask 255.255.255.255

static (LeeDMZ,Outside) 68.232.209.234 192.168.10.234 netmask 255.255.255.255

static (LeeDMZ,Outside) 68.232.209.33 192.168.10.33 netmask 255.255.255.255

static (inside,Outside) 68.232.209.246 10.1.1.246 netmask 255.255.255.255

static (LeeDMZ,Outside) 68.232.209.11 192.168.10.11 netmask 255.255.255.255

static (LeeDMZ,Outside) 68.232.209.100 192.168.10.100 netmask 255.255.255.255

static (LeeDMZ,Outside) 68.232.209.120 192.168.10.120 netmask 255.255.255.255

static (LeeDMZ,Outside) 68.232.209.70 192.168.10.70 netmask 255.255.255.255

static (LeeDMZ,Outside) 68.232.209.36 192.168.10.36 netmask 255.255.255.255

static (LeeDMZ,Outside) 68.232.209.50 192.168.10.50 netmask 255.255.255.255

static (LeeDMZ,Outside) 68.232.209.22 192.168.10.22 netmask 255.255.255.255

static (inside,Outside) 68.232.209.121 10.1.1.121 netmask 255.255.255.255

static (LeeDMZ,Outside) 68.232.209.20 192.168.10.20 netmask 255.255.255.255

static (inside,Outside) 68.232.209.203 10.1.55.203 netmask 255.255.255.255

static (LeeDMZ,Outside) 68.232.209.15 192.168.10.15 netmask 255.255.255.255

static (LeeDMZ,Outside) 68.232.209.25 192.168.10.25 netmask 255.255.255.255

static (LeeDMZ,Outside) 68.232.209.55 192.168.10.55 netmask 255.255.255.255

static (LeeDMZ,Outside) 68.232.209.143 192.168.10.143 netmask 255.255.255.255

static (LeeDMZ,Outside) 68.232.209.34 192.168.10.34 netmask 255.255.255.255

access-group out-in in interface Outside

access-group 170 in interface inside

access-group dmz in interface LeeDMZ

route Outside 0.0.0.0 0.0.0.0 68.232.208.1 1

route inside 10.1.0.0 255.255.0.0 10.1.200.1 1

route inside 192.168.2.0 255.255.255.0 10.1.200.254 1

route inside 192.168.3.0 255.255.255.0 10.1.200.254 1

route inside 192.168.5.0 255.255.255.0 10.1.200.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

url-server (inside) vendor websense host 10.1.1.66 timeout 10 protocol TCP version 1 connections 5

aaa authentication ssh console LOCAL

filter url except 10.1.4.4 255.255.255.255 0.0.0.0 0.0.0.0

filter url except 10.1.4.136 255.255.255.255 0.0.0.0 0.0.0.0

filter url except 10.1.4.30 255.255.255.255 0.0.0.0 0.0.0.0

filter url except 0.0.0.0 0.0.0.0 192.168.10.36 255.255.255.255 allow

filter url except 0.0.0.0 0.0.0.0 192.168.10.22 255.255.255.255 allow

filter url except 0.0.0.0 0.0.0.0 192.168.10.100 255.255.255.255 allow

filter url except 0.0.0.0 0.0.0.0 10.1.1.27 255.255.255.255 allow

filter url except 0.0.0.0 0.0.0.0 10.1.1.30 255.255.255.255 allow

filter url except 0.0.0.0 0.0.0.0 10.1.89.2 255.255.255.255 allow

filter url except 0.0.0.0 0.0.0.0 10.1.1.11 255.255.255.255 allow

filter url except 0.0.0.0 0.0.0.0 10.1.1.61 255.255.255.255 allow

filter url except 0.0.0.0 0.0.0.0 10.1.1.7 255.255.255.255 allow

filter url except 0.0.0.0 0.0.0.0 192.168.10.38 255.255.255.255 allow

filter url except 0.0.0.0 0.0.0.0 10.1.89.10 255.255.255.255 allow

filter url except 10.1.56.189 255.255.255.255 0.0.0.0 0.0.0.0

filter url except 10.1.4.15 255.255.255.255 0.0.0.0 0.0.0.0

filter https except 10.1.4.30 255.255.255.255 0.0.0.0 0.0.0.0

filter url except 10.1.1.0 255.255.255.0 0.0.0.0 0.0.0.0

filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

filter ftp 21 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

http server enable

http 192.168.1.0 255.255.255.0 management

http 10.1.4.29 255.255.255.255 management

http 10.1.4.30 255.255.255.255 management

http 10.1.4.31 255.255.255.255 management

http 10.1.4.4 255.255.255.255 management

snmp-server host inside 10.1.1.215 community *****

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

service resetoutside

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map Outside_map 1 match address Outside_1_cryptomap

crypto map Outside_map 1 set peer 216.168.57.82

crypto map Outside_map 1 set transform-set ESP-3DES-SHA

crypto map Outside_map interface Outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=LEE-ASA

crl configure

crypto ca trustpoint ASDM_Lee

enrollment self

subject-name CN=LEE-ASA

crl configure

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 10.1.4.29 255.255.255.255 management

telnet 10.1.4.30 255.255.255.255 management

telnet 10.1.4.31 255.255.255.255 management

telnet 10.1.4.4 255.255.255.255 management

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 LeeDMZ

ssh 0.0.0.0 0.0.0.0 management

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection scanning-threat shun except ip-address 10.1.4.0 255.255.255.0

threat-detection scanning-threat shun duration 3600

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

url-block url-mempool 2500

url-block url-size 4

dynamic-filter updater-client enable

dynamic-filter use-database

dynamic-filter enable interface Outside

dynamic-filter drop blacklist interface Outside

dynamic-filter whitelist

address 192.168.10.0 255.255.255.0

address 10.1.1.6 255.255.255.255

address 10.1.1.2 255.255.255.255

dynamic-filter blacklist

address 46.249.59.47 255.255.255.255

address 95.215.2.8 255.255.255.255

address 94.75.201.36 255.255.255.255

ntp server 64.250.229.100 source Outside

ntp server 24.56.178.140 source Outside prefer

webvpn

username **********************************

username **************************************

username ************************************

tunnel-group 216.168.57.82 type ipsec-l2l

tunnel-group 216.168.57.82 ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

inspect dns migrated_dns_map_1 dynamic-filter-snoop

inspect rtsp

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http

https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email

callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:************************************: end

palomoj · ‎04-06-2012

This fw conf snippet says its config'ed as secondary. What does the other one say? All 3 devices connected to single switch? What do those port configs look like?

Sent from Cisco Technical Support iPad App

THOMAS SANDOVAL · ‎04-06-2012

Switch is unconfigured. It shows on primary. Here is show fail.

LEE-ASA# show fail
Failover On
Failover unit Secondary
Failover LAN Interface: failover GigabitEthernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 160 maximum
Version: Ours 8.2(2), Mate 8.2(2)
Last Failover at: 15:47:46 CDT Mar 30 2012
        This host: Secondary - Standby Ready
                Active time: 0 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.2(2)) status (Up Sys)
                  Interface Outside (68.232.208.3): Normal
                  Interface inside (10.1.200.253): Normal
                  Interface LeeDMZ (192.168.10.254): Normal
                  Interface management (10.1.4.201): Normal
                slot 1: ASA-SSM-10 hw/sw rev (1.0/7.0(2)E4) status (Up/Up)
                  IPS, 7.0(2)E4, Up
        Other host: Primary - Active
                Active time: 604273 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.2(2)) status (Up Sys)
                  Interface Outside (68.232.208.2): Normal
                  Interface inside (10.1.200.254): Normal
                  Interface LeeDMZ (192.168.10.1): Normal
                  Interface management (10.1.4.200): Normal
                slot 1: ASA-SSM-10 hw/sw rev (1.0/7.0(2)E4) status (Up/Up)
                  IPS, 7.0(2)E4, Up

Stateful Failover Logical Update Statistics
        Link : failover GigabitEthernet0/3 (up)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         80550      0          23566629   5283
        sys cmd         80550      0          80550      0
        up time         0          0          0          0
        RPC services    0          0          0          0
        TCP conn        0          0          6857895    1325
        UDP conn        0          0          16200815   3958
        ARP tbl         0          0          408624     0
        Xlate_Timeout   0          0          0          0
        IPv6 ND tbl     0          0          0          0
        VPN IKE upd     0          0          15753      0
        VPN IPSEC upd   0          0          86         0
        VPN CTCP upd    0          0          0          0
        VPN SDI upd     0          0          0          0
        VPN DHCP upd    0          0          0          0
        SIP Session     0          0          2906       0

        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       54      24788589
        Xmit Q:         0       1       80550
LEE-ASA#

cpembleton · ‎04-06-2012

@palomoj There was no intent to imply you didn't undrstand how failover works. You didn't even mention it so why would it be a dig? I was simply making a seperation of failover vs alternate routes so Thomas was clear. Was not to downplay your response. I appoligize if this is how it was interpreted.

Yes, with out all the info you tend to make some assumptions which is what I did. You are correct, I did misread the router part and assumed there was another for failover.

@thomas quick glance shows the router inside int as the default route for the ASA. So if that stays up the ASA should have a route out. Assuming the router itself gets a new default route out the backup ISP and that ISP will take the same nat'd IP"s.

Run a test. While down verify you have routes needed through out. Make sure pings to each interfce is working. Look at your arp entries and make sure they are correct.

hth

Chad

THOMAS SANDOVAL · ‎04-06-2012

So, you thing there might be a problem establishing a route to new default upstream to the ISP that is still up? When I fail it over it get's a new route?

palomoj · ‎04-06-2012

No I misunderstood original post

See my last comment

Sent from Cisco Technical Support iPhone App

palomoj · ‎04-06-2012

This shows u on standby unit again

Still hard to tell what's going on

Sent from Cisco Technical Support iPhone App

sean_evershed · ‎04-07-2012

Hi,

Have you done a health check on every device shown in this diagram?

I wonder if you might have a problem with your packet shaper?

Next time the ISP fails can you try turning it off or bypassing it to see if this makes a difference?

Cheers

Sean