11-19-2010 10:48 AM - edited 03-11-2019 12:11 PM
I've been down this path before and never got a resolution to this issue.
ASA5510 Security Plus
Primary ISP conn is Comcast cable
Secondary ISP conn is fract T1
I duplicated the SLA code from http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml
When I pull the conn from primary ISP the default route to the secondary comes up
When I reconnect the primary the default route to the secondary does not go away.
I must either reload the ASA or remove/readd the two default outside routes.
Anyone have this same experience and could lend a hand?
Are there any commands I might have in my config that break SLA?
If so I would have hoped either the Configuration Guide or Command Reference for 8.2 would say so, but I don't see any mentioned.
I'm working remotely with my customer so I can't play with this except on off-hours.
ASA running 8.2(2) so as to use AnyConnect Essentials.
Thx,
Phil
11-19-2010 11:01 AM
A sanitized configuration file + topology ( in case of ASA failover set ) will help a little bit resolving the problem.
Thanks
Manish
11-19-2010 11:31 AM
Pls. read and try the workaround.
CSCtc16148 SLA monitor fails to fail back when ip verify reverse is applied
Symptom:
Route Tracking may fail to fail back to the primary link/route when restored.
Conditions:
SLA monitor must configured along with ip verify reverse path on the tracked interface.
Workaround:
1. Remove ip verify reverse path off of the tracked interface
or
2. add a static route to the SLA target out the primary tracked interface.
Can not view this . file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-broadview-8.3.1.1_interim-by-cl104097&ext=&type=FILE
Can not view this . file attachment inline, please click on the following link to view the attachment.
http://
Can not view this . file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-broadview-8.3.1_fcs_throttle-by-cl103850&ext=&type=FILE
Can not view this . file attachment inline, please click on the following link to view the attachment.
http://
Can not view this . file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-broadview-bennu-by-cl101314&ext=&type=FILE
Can not view this . file attachment inline, please click on the following link to view the attachment.
http://
Can not view this . file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-broadview-idfw-by-cl101317&ext=&type=FILE
Can not view this . file attachment inline, please click on the following link to view the attachment.
http://
Can not view this . file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-broadview-logging-ng-by-cl101311&ext=&type=FILE
Can not view this . file attachment inline, please click on the following link to view the attachment.
http://
Can not view this . file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-broadview-main-by-cl101300&ext=&type=FILE
Can not view this . file attachment inline, please click on the following link to view the attachment.
http://
Can not view this . file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-sedona-64bit-by-cl101362&ext=&type=FILE
Can not view this . file attachment inline, please click on the following link to view the attachment.
http://
Can not view this . file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-sedona-bv64-by-cl101426&ext=&type=FILE
Can not view this . file attachment inline, please click on the following link to view the attachment.
http://
Can not view this . file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-sedona-main-by-cl101297&ext=&type=FILE
Can not view this . file attachment inline, please click on the following link to view the attachment.
http://
Can not view this . file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-titan-8.2.2_fcs_throttle-by-cl101307&ext=&type=FILE
Can not view this . file attachment inline, please click on the following link to view the attachment.
http://
Can not view this . file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-titan-bennu-by-cl101294&ext=&type=FILE
Can not view this . file attachment inline, please click on the following link to view the attachment.
http://
Can not view this . file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-titan-main-by-cl101282&ext=&type=FILE
Can not view this . file attachment inline, please click on the following link to view the attachment.
http://
Can not view this .log file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=sla-mon-sh-tech&ext=log&type=FILE
Can not view this .log file attachment inline, please click on the following link to view the attachment.
http://
Can not view this . file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=static-analysis-titan-main&ext=&type=FILE
Can not view this . file attachment inline, please click on the following link to view the attachment.
http://
-KS
11-19-2010 12:30 PM
Not my complete sanitized config, but maybe enough to help.
int e0/0
ip add 10.1.1.1 255.255.255.0
nameif LAN1
security-level 100
int e0/1
ip add 10.1.2.1 255.255.255.0
nameif LAN2
security-level 100
int e0/2
desc Primary ISP
ip add 1.1.1.2 255.255.255.252
nameif P-ISP
security-level 0
int e0/3
desc Secondary/backup ISP
ip add 2.2.2.2 255.255.255.252
nameif S-ISP
security-level 0
same-security-traffic permit inter-interface
ip reverse-pathip verify interface LAN1
ip reverse-pathip verify interface LAN2
ip reverse-pathip verify interface P-ISPip reverse-pathip verify interface S-ISP
no failover
nat-control
global (P-ISP) 1 interface
nat (LAN1) 1 10.1.1.0 255.255.255.0
nat (LAN2) 1 10.1.2.0 255.255.255.0
global (PriISP) 1 interface
static (LAN1,LAN2) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
static (LAN2,LAN1) 10.1.2.0 10.1.2.0 netmask 255.255.255.0
route P-ISP 0.0.0.0 0.0.0.0 1.1.1.1 1 track 1
route S-ISP 0.0.0.0 0.0.0.0 2.2.2.1 254
sla monitor 123
type echo protocol ipIcmpEcho 64.202.128.1 interface outside
num-packets 3
frequency 30
sla monitor schedule 123 life forever start-time now
track 1 rtr 123 reachability
The backup ISP is used mainly for site to site VPNS - there are static routes pointing out the backup interface for this and it works fine.
From what I see in the bug I can't have a config like this and have SLA work.
11-19-2010 12:34 PM
Yes. That is correct. Or run a code where this is fixed. 8.2.2(7) has the fix.
-KS
11-19-2010 12:40 PM
How do I get the ASA IOS with the bug fix?
11-19-2010 12:49 PM
ASA code: http://tools.cisco.com/squish/10C815
ASDM image: http://tools.cisco.com/squish/a5338C
You should see 8.2.3 code. Upgrade to that. (NOT to be mixed up with 8.3.2)
-KS
11-19-2010 01:01 PM
My bad - I was looking specifically for 8.2.2.(7) and did not check the release notes for 8.2.3
I'll download it and verify with my customer.
Thanks for the help - Cisco TAC is still #1
Phil
11-19-2010 01:02 PM
Cisco TAC Rocks !!
Good luck. Rate the posts that helped.
-KS
11-02-2011 05:59 AM
Hello.
I have the same problem on ASA5510 as was described by Phil Williamson in the first post.
When I pull the conn from primary ISP the default route to the secondary comes up.
When I reconnect the primary the default route to the secondary does not go away.
Also if I restart ASA will be used Backup ISP instead of Primary ISP even Primary ISP is available.
Software details:
Cisco Adaptive Security Appliance Software Version 7.2(5)2
Device Manager Version 5.2(5)
Compiled on Wed 19-Jan-11 19:13 by builders
System image file is "disk0:/asa725-2-k8.bin"
Config file at boot was "startup-config"
What should I do? Thanks in advance.
11-02-2011 06:19 AM
I identified a potential defect CSCtc16148
Does the defect match to what you are seeing?
Upgrade to the latest 8.2.5(x) code and see if this resolves the issue.
ASA code: http://tools.cisco.com/squish/5f29b
-Kureli
11-02-2011 06:46 AM
CSCtc16148 looks like my problem but it was found in 8.2(1) and newest IOS release. I can try to add a static route to the SLA target out the primary tracked interface in non business hours. Probably it will help me to resolve issue. If it’s possible could you please simulate this into your lab (on ASA5510 with the same IOS)?
If it wouldn’t help I will be needed to make hardware (RAM) and software upgrade on ASA5510. Are there any concerns during the transition between the different IOS versions (7.x to 8.x)? Or all will go smoothly.
Thank you a lot!
11-02-2011 08:13 AM
We volunteer our time on our forum. Unfortunately I do not have time to test this. It would be easier for you to try the workaround that I listed on the defect:
1. Remove ip verify reverse path off of the tracked interface
or
2. add a static route to the SLA target out the primary tracked interface.
If the workaround works then, upgrade the code to 8.2.5(x). This does not require memory upgrade. Only 8.3 and above reqiure memory upgrade.
Good luck.
-Kureli
11-03-2011 01:42 AM
"add a static route to the SLA target out the primary tracked interface"
Am I right that it should be like this?
route outside 0.0.0.0 0.0.0.0 10.104.200.117 1 track 100
route outside 0.0.0.0 0.0.0.0 10.104.200.117 1 - Do I need to add this row?
Thank you very much!
11-03-2011 01:45 AM
The second one is not needed.
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide