01-13-2010 11:35 AM - edited 03-11-2019 09:57 AM
I would like to setup a backup internet connection but I don't want the connection to failover if one IP address or sla monitor is down. I would like at least two to fail before it goes down. The only way I can think of is the config below. Is there an easier way?
route ouside 0.0.0.0 0.0.0.0 <isp1 route> 1 track 1
route ouside 0.0.0.0 0.0.0.0 <isp1 route> 2 track 2
route outside 0.0.0.0 0.0.0.0 <isp2 route> 254
sla monitor 101
type echo protocol ipIcmpEcho 10.0.0.1 interface outside
num-packets 3
frequency 10
sla monitor 102
type echo protocol ipIcmpEcho 10.0.0.2 interface outside
num-packets 3
frequency 10
sla monitor schedule 101 life forever start-time now
sla monitor schedule 102 life forever start-time now
track 1 rtr 101 reachability
track 2 rtr 102 reachability
06-01-2016 08:26 AM
I’ve tried all of these options any haven’t gotten any of them to work. But here is what I came up with that does seem to work really well. You can ping two, four, or even more Internet hosts and only when all of them fail does the ASA failover to the backup ISP:
route outside 0.0.0.0 128.0.0.0 <primary gateway> 1 track 100
route outside 128.0.0.0 128.0.0.0 <primary gateway> 1 track 100
route outside 0.0.0.0 0.0.0.0 <primary gateway> 2 track 101
route outside-failover 0.0.0.0 0.0.0.0 <backup gateway> 254
track 100 rtr 100 reachability
track 101 rtr 101 reachability
sla monitor 100
type echo protocol ipIcmpEcho 208.67.222.222 interface outside
num-packets 3
frequency 10
sla monitor 101
type echo protocol ipIcmpEcho 8.8.8.8 interface outside
num-packets 3
frequency 9
sla monitor schedule 100 life forever start-time now
sla monitor schedule 101 life forever start-time now
This way both 208.67.222.222 (OpenDNS) and 8.8.8.8 (Google DNS) have to be unreachable for the failover to occur from the primary Internet connection to the backup Internet connection. You could even expand this out from pinging two Internet IP's to four. Or using it to have more than one backup Internet connections for a failover of ISP 1 (maybe Fiber) to ISP 2 (for example cable) to ISP 3 (a Cradlepoint router using LTE/4G).
You can test the failover pretty easily by creating two EC2 Instances on Amazon’s AWS cloud. Use these two IP’s in the SLA Monitor commands. Then you can use the Amazon firewall rules (or you can just start & stop the instances) to control the ICMP (ping) access to see how your ASA will failover if one or both of the Instances doesn’t ping.
Here is what you will see in the routing table:
Track 100 up, Track 101 up:
Gateway of last resort is <primary ISP> to network 0.0.0.0
C <Backup Interface> 255.255.255.0 is directly connected, outside-failover
C <LAN Interface> 255.255.0.0 is directly connected, inside
C <Primary ISP Interface> 255.255.255.240 is directly connected, outside
S 0.0.0.0 128.0.0.0 [1/0] via <Primary ISP Default Gateway>, outside
S* 0.0.0.0 0.0.0.0 [2/0] via <Primary ISP Default Gateway>, outside
S 128.0.0.0 128.0.0.0 [1/0] via <Primary ISP Default Gateway>, outside
Track 100 up, Track 101 down:
Gateway of last resort is <Backup ISP Default Gateway> to network 0.0.0.0
C <Backup Interface> 255.255.255.0 is directly connected, outside-failover
C <LAN Interface> 255.255.0.0 is directly connected, inside
C <Primary ISP Interface> 255.255.255.240 is directly connected, outside
S 0.0.0.0 128.0.0.0 [1/0] via <Primary ISP Default Gateway>, outside
S* 0.0.0.0 0.0.0.0 [254/0] via <Backup ISP Default Gateway>, outside-failover
S 128.0.0.0 128.0.0.0 [1/0] via <Primary ISP Default Gateway>, outside
Track 100 down, Track 101 up:
Gateway of last resort is <Primary ISP Default Gateway> to network 0.0.0.0
C <Backup Interface> 255.255.255.0 is directly connected, outside-failover
C <LAN Interface> 255.255.0.0 is directly connected, inside
C <Primary ISP Interface> 255.255.255.240 is directly connected, outside
S* 0.0.0.0 0.0.0.0 [2/0] via <Primary ISP Default Gateway>, outside
Track 100 down, Track 101 down:
Gateway of last resort is <Backup ISP Default Gateway> to network 0.0.0.0
C <Backup Interface> 255.255.255.0 is directly connected, outside-failover
C <LAN Interface> 255.255.0.0 is directly connected, inside
C <Primary ISP Interface> 255.255.255.240 is directly connected, outside
S* 0.0.0.0 0.0.0.0 [254/0] via <Backup ISP Default Gateway>, outside-failover
An even better option would be to configure two Raspberry Pi's in a cluster on the outside network of the ASA for the ASA to track with the SLA command. Then those Raspberry Pi's can be configured so that they can ping any number of hosts and also connect to any number of web sites before signalling the ASA to failover to the backup Internet connection. This gives a much more control over the failover process than just simple pings - even with the multiple pings allowed by the ASA configuration above. And the redundant Raspberry Pi's means that even if one fails the ASA route tracking continues to work properly. Note: You need either one extra static public IP for a single external Raspberry Pi or three extra static public IP's for a cluster of Pi's. Please see http://www.icepts.com/cisco-asa-firewall-route-tracking-with-multiple-ips/
Dave
03-27-2020 05:48 AM
What would the 4 IP track config look like. I have implemented the 3 IP track and its working fine for me.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide