04-14-2021 06:52 AM
Hi,
Can someone please help me figuring out why my Cisco ASA 5508 floating backup default route is active even if the Primary still up? My expected result is I should not be able to ping the Backup IP if the primary still up but what's happening is I am able to ping both from Internet. My track is working and when I show route the default route is pointing to TATA which is the primary.
Cisco Adaptive Security Appliance Software Version 9.8(4)20
Firepower Extensible Operating System Version 2.2(2.124)
Device Manager Version 7.8(1)
!
interface GigabitEthernet1/3
description ---- PRIMARY----
speed 100
duplex full
nameif TATA
security-level 0
ip address 121.X.X.1 255.255.255.252
!
interface GigabitEthernet1/6
description ---BACKUP----
speed 100
duplex full
nameif ISHAN
security-level 0
ip address 103.X.X.170 255.255.255.248
!
route TATA 0.0.0.0 0.0.0.0 121.X.X.2 1 track 1
route ISHAN 0.0.0.0 0.0.0.0 103.X.X.169 254
! FOR TRACK
route TATA 8.8.8.8 255.255.255.255 121.X.X.2
!
sla monitor 1
type echo protocol ipIcmpEcho 8.8.8.8 interface TATA
sla monitor schedule 1 life forever start-time now
!
track 1 rtr 1 reachability
04-14-2021 06:58 AM
As long as the backup address is reachable from the Internet the pings to it will work. The echo replies can go out from the primary address using the default route even if the echo requests come in on the backup.
10-22-2021 08:26 AM
Hi Marvin,
Thanks for the answering my query but how can I stop it? I want the backup to only activate when the primary line went down. I had a similar setup for ASA5515 and it is working as expected in there.
04-14-2021 12:20 PM
You mean backup FW IP address, sure you can able to ping and reachable there.
10-22-2021 08:29 AM
Hi Balaji,
I want my backup line to only activate when the primary line went down. Is there any way to do this on this device? Because I was able to do it on ASA5515 where I have a standby backup line that will only be reachable from the internet if my track for primary line went down.
10-22-2021 09:20 AM
Sorry its been lost here after long time, what is the issue now here after 5months ?
look at below example :
10-22-2021 09:30 AM
This is what I configured exactly but the thing is the backup and primary are both reachable from the internet even if the default route is just pointing to primary internet gateway. I need my backup ISP to be on standby only and should not be reachable from the internet when the primary ISP is up. Per my understanding floating default route and default static route with tracker should be enough but it seems to be not working.
10-22-2021 09:55 AM
backup and primary are both reachable from the internet
Need clarification, yes those will be reachable since they are Public IP address, you do not have control
what is important here, outgoing traffic always use active link as mentioned, and it auto failover based on track you confiured ?
so is the failover working ?
10-22-2021 10:05 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide