Solved: Re: Cisco ASA 5510 dual ISP Active/Standby Fail-over

santiago.jem · ‎04-03-2013

Hello Experts,

I have a dual ISP, 1 primary and 1 secondary terminated on fa0 and fa2 on our ASA respectively.

ASA was configured so that, when the primary fails, the secondary kicks in.

! INTERFACE CONFIG

interface Ethernet0/0 <----- ISP_1

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.80.1.1 255.255.255.0

!

interface Ethernet0/2

nameif outside_p

security-level 0

pppoe client vpdn group ISP_2 <----- ISP_2

ip address pppoe setroute

! SLA CONFIG

sla monitor 1

type echo protocol ipIcmpEcho 1.1.1.1 interface outside_p

frequency 10

sla monitor schedule 1 life forever start-time now

!

track 1 rtr 1 reachability

It was until yesterday that we experienced downtime on the primary ISP that the secondary doesn't do the fail-over.

I have to manually configure the device to use the secondary ISP.

Currently, I'm looking at maybe this has something to do with the licensing.

We are currently using a Base License, should we be upgrading to Security Plus?

Or am I missing something in my config?

Hope someone could point me out to the right direction.

Thank you.

Regards,

Jem

lcambron · ‎04-09-2013

Hi Jem,

I don't see nat for the backup link.

Basically you need the same nat rules for outside and outside_p interfaces.

Keep in mind that if you use the same objects, you will overwrite the current ones.

Just for internet access you can add:

object network obj-any

subnet 0 0

nat (inside,outside_p) dynamic interface

This should allow internet access on the backup.

Please add the commands and try it again.

You can also setup some captures to see if the traffic is leaving on that interface and if the the packet is being NAT'ed.

capture test interface outside_p match ip any host destination_IP

then use the 'show cap test' command to see the output.

Regards,

Felipe.

View solution in original post

lcambron · ‎04-03-2013

Hello Jem,

Did you confirm the IP address on the "type echo protocol ipIcmpEcho" was pingable thru the outside interface.

Also seems like you missed the command:

num-packets 3

Can you also share the routes configuration?

Regards,

Felipe.

santiago.jem · ‎04-03-2013

Hi Felipe,

Yes the IP Address you were talking about was pingable.

So, this is the command that I must be misisng? num-packets 3?

Here's my route conifg:

!

route outside_p 0.0.0.0 0.0.0.0 x.x.x.x 1 track 1
route outside 0.0.0.0 0.0.0.0 y.y.y.y 255

!

So, its outside_p that is being tracked. It's just that the secondary route, doesn't seem to kick-in when primary fails. I sometimes need to issue: clear route outside_p, then change the NAT rules.

lcambron · ‎04-04-2013

Jem,

Can you get a show route with the primary link enabled and a show route with the link disabled?

Please share the outputs.

Regards,

Felipe.

santiago.jem · ‎04-08-2013

Hi Felipe,

Here is the output of show route:

Link is enabled:

Result of the command: "show route"

Gateway of last resort is x.x.x.x to network 0.0.0.0

C 10.80.1.0 255.255.255.0 is directly connected, inside

C x.x.x.120 255.255.255.248 is directly connected, outside

d* 0.0.0.0 0.0.0.0 [1/0] via x.x.x.x, outside

Link is disabled:

Result of the command: "show route"

Gateway of last resort is y.y.y.y to network 0.0.0.0

C 10.80.1.0 255.255.255.0 is directly connected, inside

S* 0.0.0.0 0.0.0.0 [1/0] via y.y.y.y, outside_p

Is it safe tosay that the backup route was used,

it's just that I need to change the firewall settings to use this backup route?

How will I configure backup firewall configuration for this backup route?

Thank you.

lcambron · ‎04-08-2013

Jem,

The route seems to be taking over, so I dont think it is a routing issue.

It could actually be the NAT.

Do you have a global command for each interface (If running 8.2 or earlier)

Can you share the nat configuration?

Regards,

Felipe.

santiago.jem · ‎04-08-2013

Hi Felipe,

Yes, it could be the NAT configuration. But I've tried creating a back-up NAT rule before, but that wasn't successful either.

nat (inside,outside) source static NETWORK_OBJ_10.80.1.0_24 NETWORK_OBJ_10.80.1.0_24 destination static DM_INLINE_NETWORK_5 DM_INLINE_NETWORK_5 no-proxy-arp route-lookup

nat (inside,outside) source static Branch_Inside Branch_Inside destination static DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4 no-proxy-arp route-lookup

nat (inside,outside) source static Branch_Inside Branch_Inside destination static Roswell Roswell no-proxy-arp route-lookup

!

object network inside-net

nat (inside,outside) dynamic interface

!

nat (inside,outside) after-auto source dynamic any interface

access-group outside_access_in_1 in interface outside control-plane

access-group outside_access_in in interface outside

access-group outside_access_out out interface outside

access-group outside_access_ipv6_in in interface outside

access-group outside_access_ipv6_out out interface outside

access-group outside_access_in in interface inside

access-group outside_access_out out interface inside

access-group outside_access_ipv6_in in interface inside

access-group outside_access_ipv6_out out interface inside

access-group outside_p_access_in in interface outside_p

access-group outside_p_access_out out interface outside_p

access-group global_access global

access-group global_access_ipv6 global

route outside_p 0.0.0.0 0.0.0.0 y.y.y.y 1 track 1

route outside 0.0.0.0 0.0.0.0 x.x.x.x 255

Before I was really lookign at the license being Base as I may need to upgrade to Security Plus.

lcambron · ‎04-09-2013

Hi Jem,

I don't see nat for the backup link.

Basically you need the same nat rules for outside and outside_p interfaces.

Keep in mind that if you use the same objects, you will overwrite the current ones.

Just for internet access you can add:

object network obj-any

subnet 0 0

nat (inside,outside_p) dynamic interface

This should allow internet access on the backup.

Please add the commands and try it again.

You can also setup some captures to see if the traffic is leaving on that interface and if the the packet is being NAT'ed.

capture test interface outside_p match ip any host destination_IP

then use the 'show cap test' command to see the output.

Regards,

Felipe.

santiago.jem · ‎04-09-2013

Hi Felipe,

Yes will try that one, I'm out of the office today.

So there's no way we can configure to use the Backup Link to be used as VPN Peer?

The command above is only for internet access right?

Regards,

Jemel

lcambron · ‎04-09-2013

You can configure the backup link as a VPN peer but will only work if this link is being used as the primary, meaning for redundancy only, both links can't be active at the same time.

And yes the commands I provided are just for internet access.

Regards,

Felipe.

santiago.jem · ‎04-14-2013

Thanks Felipe,

Problem solved. I just created NAT rules using both outisde interfaces and it seemed it worked.

I opted to use the ASDM for easier config changes and it worked.

Thanks!