cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5233
Views
0
Helpful
15
Replies

ASA5510 sla monitor does not fail back

Phil Williamson
Level 1
Level 1

I've been down this path before and never got a resolution to this issue.

ASA5510 Security Plus

Primary ISP conn is Comcast cable

Secondary ISP conn is fract T1

I duplicated the SLA code from http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

When I pull the conn from primary ISP the default route to the secondary comes up

When I reconnect the primary the default route to the secondary does not go away.

I must either reload the ASA or remove/readd the two default outside routes.

Anyone have this same experience and could lend a hand?

Are there any commands I might have in my config that break SLA?

If so I would have hoped either the Configuration Guide or Command Reference for 8.2 would say so, but I don't see any mentioned.

I'm working remotely with my customer so I can't play with this except on off-hours.

ASA running 8.2(2) so as to use AnyConnect Essentials.

Thx,

Phil

15 Replies 15

manish arora
Level 6
Level 6

A sanitized configuration file + topology ( in case of ASA failover set ) will help a little bit resolving the problem.

Thanks

Manish

Pls. read and try the workaround.

CSCtc16148    SLA monitor fails to fail back when ip verify reverse is applied

Symptom:

Route Tracking may fail to fail back to the primary link/route when restored.

Conditions:

SLA monitor must configured along with ip verify reverse path on the tracked interface.

Workaround:

1. Remove ip verify reverse path off of the tracked interface

or

2. add a static route to the SLA target out the primary tracked interface.



-KS

Phil Williamson
Level 1
Level 1

Not my complete sanitized config, but maybe enough to help.

int e0/0

ip add 10.1.1.1 255.255.255.0

nameif LAN1

security-level 100

int e0/1

ip add 10.1.2.1 255.255.255.0

nameif LAN2

security-level 100

int e0/2

desc Primary ISP

ip add 1.1.1.2 255.255.255.252

nameif P-ISP

security-level 0

int e0/3

desc Secondary/backup ISP

ip add 2.2.2.2 255.255.255.252

nameif S-ISP

security-level 0

same-security-traffic permit inter-interface

ip reverse-pathip verify interface LAN1

ip reverse-pathip verify interface LAN2

ip reverse-pathip verify interface P-ISPip reverse-pathip verify interface S-ISP

no failover

nat-control
global (P-ISP) 1 interface

nat (LAN1) 1 10.1.1.0 255.255.255.0

nat (LAN2) 1 10.1.2.0 255.255.255.0

global (PriISP) 1 interface

static (LAN1,LAN2) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
static (LAN2,LAN1) 10.1.2.0 10.1.2.0 netmask 255.255.255.0

route P-ISP 0.0.0.0 0.0.0.0 1.1.1.1 1 track 1
route S-ISP 0.0.0.0 0.0.0.0 2.2.2.1 254

sla monitor 123
type echo protocol ipIcmpEcho 64.202.128.1 interface outside
  num-packets 3
  frequency 30

sla monitor schedule 123 life forever start-time now
track 1 rtr 123 reachability


The backup ISP is used mainly for site to site VPNS - there are static routes pointing out the backup interface for this and it works fine.

From what I see in the bug I can't have a config like this and have SLA work.

Yes. That is correct. Or run a code where this is fixed. 8.2.2(7) has the fix.

-KS

How do I get the ASA IOS with the bug fix?

ASA code:  http://tools.cisco.com/squish/10C815

ASDM image: http://tools.cisco.com/squish/a5338C

You should see 8.2.3 code. Upgrade to that. (NOT to be mixed up with 8.3.2)

-KS

My bad - I was looking specifically for 8.2.2.(7) and did not check the release notes for 8.2.3

I'll download it and verify with my customer.

Thanks for the help - Cisco TAC is still #1

Phil

Cisco TAC Rocks !!

Good luck.  Rate the posts that helped.

-KS

acnrussmartnet
Level 1
Level 1

Hello.

I have the same problem on ASA5510 as was described by Phil Williamson in the first post.

  When I pull the conn from primary ISP the default route to the secondary comes up.

  When I reconnect the primary the default route to the secondary does not go away.

Also if I restart ASA will be used Backup ISP instead of Primary ISP even Primary ISP is available.

Software details:

Cisco Adaptive Security Appliance Software Version 7.2(5)2

Device Manager Version 5.2(5)

Compiled on Wed 19-Jan-11 19:13 by builders

System image file is "disk0:/asa725-2-k8.bin"

Config file at boot was "startup-config"

What should I do? Thanks in advance.

I identified a potential defect CSCtc16148

Does the defect match to what you are seeing?

Upgrade to the latest 8.2.5(x) code and see if this resolves the issue.

ASA code: http://tools.cisco.com/squish/5f29b

-Kureli

CSCtc16148 looks like my problem but it was found in 8.2(1) and newest IOS release. I can try to add a static route to the SLA target out the primary tracked interface in non business hours. Probably it will help me to resolve issue. If it’s possible could you please simulate this into your lab (on ASA5510 with the same IOS)?

If it wouldn’t help I will be needed to make hardware (RAM) and software upgrade on ASA5510. Are there any concerns during the transition between the different IOS versions (7.x to 8.x)? Or all will go smoothly.

Thank you a lot!

We volunteer our time on our forum. Unfortunately I do not have time to test this. It would be easier for you to try the workaround that I listed on the defect:

1. Remove ip verify reverse path off of the tracked interface

or

2. add a static route to the SLA target out the primary tracked interface.

If the workaround works then, upgrade the code to 8.2.5(x).  This does not require memory upgrade.  Only 8.3 and above reqiure memory upgrade.

Good luck.

-Kureli

"add a static route to the SLA target out the primary tracked interface"

Am I right that it should be like this?

route outside 0.0.0.0 0.0.0.0 10.104.200.117 1 track 100
route outside 0.0.0.0 0.0.0.0 10.104.200.117 1 - Do I need to add this row?

Thank you very much!

The second one is not needed.

Mike

Mike
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: