Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
414
Views
0
Helpful
2
Replies

ASA5510 - Backup ISP interface does not failback

OSG_DanCisco
Level 1
Level 1

‎03-25-2013 04:48 AM - edited ‎03-11-2019 06:19 PM


Cisco ASA 5510 ASA 8.2(5)
Set up the backup ISP per
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Basically vanilla configuration

The SLA Target is the DG of the Primary Outside Interface -
The interface will fall over to backup ISP (a DHCP interface). We have seen this occur when APPLYing a change via Cisco ASDM as well as 'planned' cutovers).
The issue is that it does not fall back when the SLA Monitor sees the Target.
sla monitor operational-state reflects a
Latest Operation return code: ok.

However the show route reflects the backup route.
The way I get it back is by bringing down the backup interface.
I thought the following may be helpful:
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bc8549.shtml
But this reflects a situation in which the routing table is rebuilt and the original Primary gateway is reinstated.
Again, our route table does not reflect the Primary (until I pull the cable).

One thing I did notice, now, is that the routing table (with the backup) does not show as a S* but d* (lowercase

d, not capital D for EIGRP)

C    192.168.29.0 255.255.255.0 is directly connected,

inside
C    50.196.236.120 255.255.255.248 is directly connected,

outside
C    192.168.39.0 255.255.255.0 is directly connected, dmz
C    192.168.1.0 255.255.255.0 is directly connected,

Backup
d*   0.0.0.0 0.0.0.0 [1/0] via 192.168.1.254, Backup

Wondering what would resolve the issue, so the ASA failbacks to the Primary once it is recognized.

Labels:
0 Helpful
2 Replies 2

jocamare
Level 4
Level 4

‎03-29-2013 01:24 PM

Mind sharing the sla and interface configuration? The output of the "show route" command will be useful too.

Also the " sho sla monitor operational-state" output.

The "d*" letter you see is used for routes learned via DHCP.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni

‎03-29-2013 04:09 PM

Hello Dan,

Can you share your show run?

I would like to see if you have ip verify enable,

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card