04-03-2013 02:24 PM - edited 03-11-2019 06:23 PM
Hello Experts,
I have a dual ISP, 1 primary and 1 secondary terminated on fa0 and fa2 on our ASA respectively.
ASA was configured so that, when the primary fails, the secondary kicks in.
! INTERFACE CONFIG
interface Ethernet0/0 <----- ISP_1
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.80.1.1 255.255.255.0
!
interface Ethernet0/2
nameif outside_p
security-level 0
pppoe client vpdn group ISP_2 <----- ISP_2
ip address pppoe setroute
! SLA CONFIG
sla monitor 1
type echo protocol ipIcmpEcho 1.1.1.1 interface outside_p
frequency 10
sla monitor schedule 1 life forever start-time now
!
track 1 rtr 1 reachability
It was until yesterday that we experienced downtime on the primary ISP that the secondary doesn't do the fail-over.
I have to manually configure the device to use the secondary ISP.
Currently, I'm looking at maybe this has something to do with the licensing.
We are currently using a Base License, should we be upgrading to Security Plus?
Or am I missing something in my config?
Hope someone could point me out to the right direction.
Thank you.
Regards,
Jem
Solved! Go to Solution.
04-09-2013 01:26 PM
Hi Jem,
I don't see nat for the backup link.
Basically you need the same nat rules for outside and outside_p interfaces.
Keep in mind that if you use the same objects, you will overwrite the current ones.
Just for internet access you can add:
object network obj-any
subnet 0 0
nat (inside,outside_p) dynamic interface
This should allow internet access on the backup.
Please add the commands and try it again.
You can also setup some captures to see if the traffic is leaving on that interface and if the the packet is being NAT'ed.
capture test interface outside_p match ip any host destination_IP
then use the 'show cap test' command to see the output.
Regards,
Felipe.
04-03-2013 03:59 PM
Hello Jem,
Did you confirm the IP address on the "type echo protocol ipIcmpEcho" was pingable thru the outside interface.
Also seems like you missed the command:
num-packets 3
Can you also share the routes configuration?
Regards,
Felipe.
04-03-2013 05:53 PM
Hi Felipe,
Yes the IP Address you were talking about was pingable.
So, this is the command that I must be misisng? num-packets 3?
Here's my route conifg:
!
route outside_p 0.0.0.0 0.0.0.0 x.x.x.x 1 track 1 route outside 0.0.0.0 0.0.0.0 y.y.y.y 255
!
So, its outside_p that is being tracked. It's just that the secondary route, doesn't seem to kick-in when primary fails. I sometimes need to issue: clear route outside_p, then change the NAT rules.
04-04-2013 07:25 PM
Jem,
Can you get a show route with the primary link enabled and a show route with the link disabled?
Please share the outputs.
Regards,
Felipe.
04-08-2013 02:03 PM
Hi Felipe,
Here is the output of show route:
Link is enabled:
Result of the command: "show route"
Gateway of last resort is x.x.x.x to network 0.0.0.0
C 10.80.1.0 255.255.255.0 is directly connected, inside
C x.x.x.120 255.255.255.248 is directly connected, outside
d* 0.0.0.0 0.0.0.0 [1/0] via x.x.x.x, outside
Link is disabled:
Result of the command: "show route"
Gateway of last resort is y.y.y.y to network 0.0.0.0
C 10.80.1.0 255.255.255.0 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [1/0] via y.y.y.y, outside_p
Is it safe tosay that the backup route was used,
it's just that I need to change the firewall settings to use this backup route?
How will I configure backup firewall configuration for this backup route?
Thank you.
04-08-2013 06:13 PM
Jem,
The route seems to be taking over, so I dont think it is a routing issue.
It could actually be the NAT.
Do you have a global command for each interface (If running 8.2 or earlier)
Can you share the nat configuration?
Regards,
Felipe.
04-08-2013 07:44 PM
Hi Felipe,
Yes, it could be the NAT configuration. But I've tried creating a back-up NAT rule before, but that wasn't successful either.
nat (inside,outside) source static NETWORK_OBJ_10.80.1.0_24 NETWORK_OBJ_10.80.1.0_24 destination static DM_INLINE_NETWORK_5 DM_INLINE_NETWORK_5 no-proxy-arp route-lookup
nat (inside,outside) source static Branch_Inside Branch_Inside destination static DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4 no-proxy-arp route-lookup
nat (inside,outside) source static Branch_Inside Branch_Inside destination static Roswell Roswell no-proxy-arp route-lookup
!
object network inside-net
nat (inside,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in_1 in interface outside control-plane
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
access-group outside_access_ipv6_in in interface outside
access-group outside_access_ipv6_out out interface outside
access-group outside_access_in in interface inside
access-group outside_access_out out interface inside
access-group outside_access_ipv6_in in interface inside
access-group outside_access_ipv6_out out interface inside
access-group outside_p_access_in in interface outside_p
access-group outside_p_access_out out interface outside_p
access-group global_access global
access-group global_access_ipv6 global
route outside_p 0.0.0.0 0.0.0.0 y.y.y.y 1 track 1
route outside 0.0.0.0 0.0.0.0 x.x.x.x 255
Before I was really lookign at the license being Base as I may need to upgrade to Security Plus.
04-09-2013 01:26 PM
Hi Jem,
I don't see nat for the backup link.
Basically you need the same nat rules for outside and outside_p interfaces.
Keep in mind that if you use the same objects, you will overwrite the current ones.
Just for internet access you can add:
object network obj-any
subnet 0 0
nat (inside,outside_p) dynamic interface
This should allow internet access on the backup.
Please add the commands and try it again.
You can also setup some captures to see if the traffic is leaving on that interface and if the the packet is being NAT'ed.
capture test interface outside_p match ip any host destination_IP
then use the 'show cap test' command to see the output.
Regards,
Felipe.
04-09-2013 05:21 PM
Hi Felipe,
Yes will try that one, I'm out of the office today.
So there's no way we can configure to use the Backup Link to be used as VPN Peer?
The command above is only for internet access right?
Regards,
Jemel
04-09-2013 06:08 PM
You can configure the backup link as a VPN peer but will only work if this link is being used as the primary, meaning for redundancy only, both links can't be active at the same time.
And yes the commands I provided are just for internet access.
Regards,
Felipe.
04-14-2013 08:32 PM
Thanks Felipe,
Problem solved. I just created NAT rules using both outisde interfaces and it seemed it worked.
I opted to use the ASDM for easier config changes and it worked.
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide