Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1030
Views
5
Helpful
3
Replies

ASA Tracked route w/ VPN Backup

mumbles202
Level 5
Level 5

‎09-23-2019 02:22 PM

Have a basic setup w/ a e-lan circuit that terminates on a subinterface of the ASA w/ a /29 defined.  The ASA and the remote firewall each have an ip in the /29 and ping the far end device to see if that link is good.  On the ASA i have the following configured:

 

access-list P2P_Backup_VPN extended permit ip 192.168.100.0 255.255.255.0 192.168.20.0 255.255.255.0

 


sla monitor 202
  type echo protocol ipIcmpEcho 10.199.205.3 interface P2P
  num-packets 3
  frequency 10
sla monitor schedule 202 life forever start-time now


track 202 rtr 202 reachability

 

route P2P 192.168.20.0 255.255.255.0 10.199.205.3 1 track 202

 

With the thought that if track 202 goes down, the route to 192.168.20.0/24 should be removed from the route table, at which point the default route should be used and the vpn should come up and pass traffic until the track comes back up.  Is that correct?  I had a track go down recently and even though the track showed as down, both packet-tracer and a "show route 192.168.20.0" showed traffic as going out over P2P.  I even went so far as to remove the static from the configuration but "show route 192.168.20.0" still showed it as a static route.  

Labels:
0 Helpful
3 Replies 3

Rob Ingram
VIP
VIP

‎09-23-2019 02:49 PM

Hi,
Is 192.168.20.0/24 the remote network on the VPN tunnel?
Can you provide "show route" when the track is up and down please. Are you using RRI?
Does the tunnel go down and come back up and pass traffic? Provide the output of "show crypto ipsec sa"
0 Helpful

mumbles202
Level 5
Level 5
In response to Rob Ingram

‎09-23-2019 05:30 PM

I can get the actual show results in the morning, but to answers some of your questions. 192.168.20.0/24 is the remote network across the vpn. A show crypto ipsec shows the tunnel as up and encaps and decaps are incrementing. If I do a "show route | in 192.168.20.0" it returns 20.0 as a static route reachable across the P2P link. I was able to restore service by adding a route to 20.0 over the P2P link and then deleting it at which point the route did drop out of the route table. Clearing the tunnel did show it go down and back up, however I didn't note whether the ASA was the responder when doing a show crypto. 

0 Helpful

mumbles202
Level 5
Level 5
In response to mumbles202

‎09-25-2019 06:22 AM

So after removing the line as follows this is what i had:

 

ASA1(config)# no route P2P 192.168.20.0 255.255.255.0 10.199.205.3 track 202
ASA1(config)# sh run route | in 192.168.20.0
ASA1(config)#
ASA1(config)# sh route | in 192.168.20.0
S 192.168.20.0 255.255.255.0 [1/0] via 10.199.205.3, P2P

 

in order to get it working I had to do this:

 

ASA1(config)#route P2P 192.168.20.0 255.255.255.0 10.199.205.3

ASA1(config)#no route P2P 192.168.20.0 255.255.255.0 10.199.205.3

ASA1(config)# sh route | in 192.168.20.0

ASA1(config)#

 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card