cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1531
Views
0
Helpful
8
Replies

Cisco ASA 5508 Dual WAN (Active/Standby) Issue

Hi,

 

Can someone please help me figuring out why my Cisco ASA 5508 floating backup default route is active even if the Primary still up? My expected result is I should not be able to ping the Backup IP if the primary still up but what's happening is I am able to ping both from Internet. My track is working and when I show route the default route is pointing to TATA which is the primary.

 

Cisco Adaptive Security Appliance Software Version 9.8(4)20
Firepower Extensible Operating System Version 2.2(2.124)
Device Manager Version 7.8(1)

!

interface GigabitEthernet1/3
description ---- PRIMARY----
speed 100
duplex full
nameif TATA
security-level 0
ip address 121.X.X.1 255.255.255.252

!
interface GigabitEthernet1/6
description ---BACKUP----
speed 100
duplex full
nameif ISHAN
security-level 0
ip address 103.X.X.170 255.255.255.248

!

route TATA 0.0.0.0 0.0.0.0 121.X.X.2 1 track 1
route ISHAN 0.0.0.0 0.0.0.0 103.X.X.169 254

! FOR TRACK

route TATA 8.8.8.8 255.255.255.255 121.X.X.2

!

sla monitor 1
type echo protocol ipIcmpEcho 8.8.8.8 interface TATA
sla monitor schedule 1 life forever start-time now

!

track 1 rtr 1 reachability

8 Replies 8

Marvin Rhoads
Hall of Fame
Hall of Fame

As long as the backup address is reachable from the Internet the pings to it will work. The echo replies can go out from the primary address using the default route even if the echo requests come in on the backup.

Hi Marvin,

 

Thanks for the answering my query but how can I stop it? I want the backup to only activate when the primary line went down. I had a similar setup for ASA5515 and it is working as expected in there.

balaji.bandi
Hall of Fame
Hall of Fame

You mean backup FW IP address, sure you can able to ping and reachable there.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi Balaji,

 

I want my backup line to only activate when the primary line went down. Is there any way to do this on this device? Because I was able to do it on ASA5515 where I have a standby backup line that will only be reachable from the internet if my track for primary line went down.

Sorry its been lost here after long time, what is the issue now here after 5months ?

 

look at below example :

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118962-configure-asa-00.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

This is what I configured exactly but the thing is the backup and primary are both reachable from the internet even if the default route is just pointing to primary internet gateway. I need my backup ISP to be on standby only and should not be reachable from the internet when the primary ISP is up. Per my understanding floating default route and default static route with tracker should be enough but it seems to be not working.

backup and primary are both reachable from the internet

Need clarification, yes those will be reachable since they are Public IP address, you do not have control

 

what is important here, outgoing traffic always use active link as mentioned, and it auto failover based on track you confiured ?

 

so is the failover working ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

The problem is it is only one ASA with dual ISP it should not supposed to both active at the same time. The failover is working Im having issue with L2LVPN because both are showing up and reachable from the internet. If you did what was configured on the cisco document you sent you'll know that you should not be able to ping the backup public IP from the internet when the primary is up because the default route is pointing towards the gateway of primary ISP.
Review Cisco Networking for a $25 gift card