cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
36646
Views
13
Helpful
16
Replies

ASA SLA Tracking w/ multiple icmp checks

dnoc43
Level 1
Level 1

I would like to setup a backup internet connection but I don't want the connection to failover if one IP address or sla monitor is down.  I would like at least two to fail before it goes down. The only way I can think of is the config below.  Is there an easier way?

route ouside 0.0.0.0 0.0.0.0 <isp1 route> 1 track 1

route ouside 0.0.0.0 0.0.0.0 <isp1 route> 2 track 2

route outside 0.0.0.0 0.0.0.0 <isp2 route> 254

sla monitor 101
   type echo protocol ipIcmpEcho 10.0.0.1 interface outside

   num-packets 3
   frequency 10

sla monitor 102
  type echo protocol ipIcmpEcho 10.0.0.2 interface outside
  num-packets 3
  frequency 10

sla monitor schedule 101 life forever start-time now

sla monitor schedule 102 life forever start-time now

track 1 rtr 101 reachability

track 2 rtr 102 reachability

16 Replies 16

dbaddorf
Level 1
Level 1

  I’ve tried all of these options any haven’t gotten any of them to work.  But here is what I came up with that does seem to work really well.  You can ping two, four, or even more Internet hosts and only when all of them fail does the ASA failover to the backup ISP:

route outside 0.0.0.0 128.0.0.0 <primary gateway> 1 track 100

route outside 128.0.0.0 128.0.0.0 <primary gateway> 1 track 100

route outside 0.0.0.0 0.0.0.0 <primary gateway> 2 track 101

route outside-failover 0.0.0.0 0.0.0.0 <backup gateway> 254

track 100 rtr 100 reachability

track 101 rtr 101 reachability

sla monitor 100

 type echo protocol ipIcmpEcho 208.67.222.222 interface outside

 num-packets 3

 frequency 10

sla monitor 101

 type echo protocol ipIcmpEcho 8.8.8.8 interface outside

 num-packets 3

 frequency 9

sla monitor schedule 100 life forever start-time now

sla monitor schedule 101 life forever start-time now

  This way both 208.67.222.222 (OpenDNS) and 8.8.8.8 (Google DNS) have to be unreachable for the failover to occur from the primary Internet connection to the backup Internet connection.  You could even expand this out from pinging two Internet IP's to four.  Or using it to have more than one backup Internet connections for a failover of ISP 1 (maybe Fiber) to ISP 2 (for example cable) to ISP 3 (a Cradlepoint router using LTE/4G).

  You can test the failover pretty easily by creating two EC2 Instances on Amazon’s AWS cloud.  Use these two IP’s in the SLA Monitor commands.  Then you can use the Amazon firewall rules (or you can just start & stop the instances) to control the ICMP (ping) access to see how your ASA will failover if one or both of the Instances doesn’t ping.

  Here is what you will see in the routing table:

Track 100 up, Track 101 up:

Gateway of last resort is <primary ISP> to network 0.0.0.0

C    <Backup Interface> 255.255.255.0 is directly connected, outside-failover

C    <LAN Interface> 255.255.0.0 is directly connected, inside

C    <Primary ISP Interface> 255.255.255.240 is directly connected, outside

S    0.0.0.0 128.0.0.0 [1/0] via <Primary ISP Default Gateway>, outside

S*   0.0.0.0 0.0.0.0 [2/0] via <Primary ISP Default Gateway>, outside

S    128.0.0.0 128.0.0.0 [1/0] via <Primary ISP Default Gateway>, outside

Track 100 up, Track 101 down:

Gateway of last resort is <Backup ISP Default Gateway> to network 0.0.0.0

C    <Backup Interface> 255.255.255.0 is directly connected, outside-failover

C    <LAN Interface> 255.255.0.0 is directly connected, inside

C    <Primary ISP Interface> 255.255.255.240 is directly connected, outside

S    0.0.0.0 128.0.0.0 [1/0] via <Primary ISP Default Gateway>, outside

S*   0.0.0.0 0.0.0.0 [254/0] via <Backup ISP Default Gateway>, outside-failover

S    128.0.0.0 128.0.0.0 [1/0] via <Primary ISP Default Gateway>, outside

Track 100 down, Track 101 up:

Gateway of last resort is <Primary ISP Default Gateway> to network 0.0.0.0

C    <Backup Interface> 255.255.255.0 is directly connected, outside-failover

C    <LAN Interface> 255.255.0.0 is directly connected, inside

C    <Primary ISP Interface> 255.255.255.240 is directly connected, outside

S*   0.0.0.0 0.0.0.0 [2/0] via <Primary ISP Default Gateway>, outside

Track 100 down, Track 101 down:

Gateway of last resort is <Backup ISP Default Gateway> to network 0.0.0.0

C    <Backup Interface> 255.255.255.0 is directly connected, outside-failover

C    <LAN Interface> 255.255.0.0 is directly connected, inside

C    <Primary ISP Interface> 255.255.255.240 is directly connected, outside

S*   0.0.0.0 0.0.0.0 [254/0] via <Backup ISP Default Gateway>, outside-failover

  An even better option would be to configure two Raspberry Pi's in a cluster on the outside network of the ASA for the ASA to track with the SLA command.  Then those Raspberry Pi's can be configured so that they can ping any number of hosts and also connect to any number of web sites before signalling the ASA to failover to the backup Internet connection.  This gives a much more control over the failover process than just simple pings - even with the multiple pings allowed by the ASA configuration above.  And the redundant Raspberry Pi's means that even if one fails the ASA route tracking continues to work properly.  Note: You need either one extra static public IP for a single external Raspberry Pi or three extra static public IP's for a cluster of Pi's.  Please see http://www.icepts.com/cisco-asa-firewall-route-tracking-with-multiple-ips/

Dave

What would the 4 IP track config look like. I have implemented the 3 IP track and its working fine for me.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: