Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2976
Views
0
Helpful
2
Replies

Cisco ASA - Route-MAP with next hop verify availability

Go to solution
Mike-Zimmermann
Level 1
Level 1

‎04-03-2019 05:40 AM

Hi,

Following scenario…

We have a Cisco ASA firewall with ONE default static route to our external interface with a fast connection to the internet.

Besides this we have another external interface which has also internet connection but over a different ISP and much slower.

I have configured a Route-Map on an internal interface to route special traffic specially to this slower connection.

Everything works fine.

When I disable the external interface on the ASA with the slower internet connection, the traffic is automatically routed through the faster connection to the internet, which is also fine.

BUT… when the interface with the slower connection stays up even there is no internet connection… the traffic is not routed automatically over the faster connection.

I can configure over ASDM a “next hop verify availability” in the route-map under the tab “Policy Based Routing” (sequence number, ip address and tracking object id) but it doesn’t work and I guess I have to configure something else.

 

What do I have to configure additionally so that the special traffic is routed automatically to the faster connection when there is no internet connection on the slower interface?

 

If possible please explain the way over ASDM :-)

 

Thx!!!

 

Regards

 

Mike

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike-Zimmermann
Level 1
Level 1
In response to Deepak Kumar

‎04-05-2019 06:58 AM - edited ‎04-05-2019 07:01 AM

Thanks for your help but I actually don't want to have a second default route.

I've actually been looking more for this solution:

 

sla monitor 1
  type echo protocol ipIcmpEcho NEXT-HOP-IP interface EXTERN-INTERFACE
  frequency 10
  timeout 5000

sla monitor schedule 1 life forever start-time now

 

track 1 rtr 1 reachability

 

route-map RM-NAME permit 10
  match ip address ACL-NAME
  set ip next-hop verify-availability NEXT-HOP-IP 1 track 1

 

Regards,

 

Mike

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni

‎04-03-2019 06:53 AM

Hi,

Here is the ASDM guide:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/asdm77/general/asdm-77-general-config/route-static.html

 

If you want commands then share your current running configuration. 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

Go to solution
Mike-Zimmermann
Level 1
Level 1
In response to Deepak Kumar

‎04-05-2019 06:58 AM - edited ‎04-05-2019 07:01 AM

Thanks for your help but I actually don't want to have a second default route.

I've actually been looking more for this solution:

 

sla monitor 1
  type echo protocol ipIcmpEcho NEXT-HOP-IP interface EXTERN-INTERFACE
  frequency 10
  timeout 5000

sla monitor schedule 1 life forever start-time now

 

track 1 rtr 1 reachability

 

route-map RM-NAME permit 10
  match ip address ACL-NAME
  set ip next-hop verify-availability NEXT-HOP-IP 1 track 1

 

Regards,

 

Mike

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card