Solved: Re: Configuring Failover DUAL ISP on Single ASA 5515X using Static Route SLA monitoring

V Rajshekar · ‎04-30-2018

I configured,

interface GigabitEthernet0/0
description WAN
nameif outside
security-level 0
ip address 203.92.x,x 255.255.255.248

interface GigabitEthernet0/3
description TATA_WAN
nameif Backup-link
security-level 0
ip address 203.192.x.x 255.255.255.248

route outside 0.0.0.0 0.0.0.0 203.92.x.x 1 track 10
route Backup-link 0.0.0.0 0.0.0.0 203.192.x.x 2

track 10 ip sla 10 reachability

sla monitor 10
type echo protocol ipIcmpEcho 4.2.2.2 interface outside
frequency 5
sla monitor schedule 1 life forever start-time now

After I added this config, when I check "show route" it does not display the default route.

Marius Gunnerud · ‎05-02-2018

could you post the full output of show route before and after you add the tracking to the default route.

Also provide the full output of show sla monitor operational-state once you have added tracking.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Karsten Iwen · ‎04-30-2018

And what does "show route" display? And what gives "show sla monitor operational-state"?

Marius Gunnerud · ‎04-30-2018

This is odd behavior. I set this up in my home lab and got the same result that when the SLA timeout the backup default route was not entered into the routing table. I then removed the backup route and readded it using administrative distance 254 and that worked. switch back to administrative distance 2 and now that also worked. not sure what happened.

Try what I did, remove it, add it back with 254, test that it works, then remove and add it back with 2.

--
Please remember to select a correct answer and rate helpful posts

V Rajshekar · ‎04-30-2018

Thank you for the quick response.

As soon as I add the SLA monitoring config for the static route. The primary ISP link goes down and the route is deleted from the routing table and the failover also does not happening. I tried it with metric, 2, 10, 254 none of them helped.

Marius Gunnerud · ‎04-30-2018

is this a typo?

sla monitor schedule 1 life forever start-time now

it should be sla monitor schedule 10 life forever start-time now

--
Please remember to select a correct answer and rate helpful posts

V Rajshekar · ‎04-30-2018

@Marius Gunnerud Yes that was a typo. In the config s

la monitor schedule 10 life forever start-time now

Marius Gunnerud · ‎04-30-2018

Could you post the full running config of the ASA (remember to remove public IPs, usernames and passwords.)

--
Please remember to select a correct answer and rate helpful posts

V Rajshekar · ‎04-30-2018

Hi @Marius Gunnerud

Thank you. Here you go, this was taken when the issue occurred

For now, i have removed the SLA configuration from the running config as it was causing issues.

Marius Gunnerud · ‎04-30-2018

This is the first time I have seen "track 10 ip sla 10 reachability" on an ASA. I checked an ASA running version 9.6 and this command is not present on it. could you try changing this to "track 10 rtr 10 reachability"

--
Please remember to select a correct answer and rate helpful posts

V Rajshekar · ‎04-30-2018

Hi @Marius Gunnerud

Sorry, I made a mistake while entering, i tried it with

track 10 rtr 10 reachability

It still behaves the same

Marius Gunnerud · ‎05-01-2018

This is odd. could you provide an output of show route before and after failover?

also issue the command show sla monitor operational-state before and after failover.

Also, have you tried a restart of the ASA?

--
Please remember to select a correct answer and rate helpful posts

V Rajshekar · ‎05-01-2018

Before performing the failover, as soon as the SLA is configured for the primary route, the route is removed. The primary link is still connected and running however for some reason ASA does delete the default routes.

I will try rebooting, I have not tried that yet.

Marius Gunnerud · ‎05-01-2018

If it is removed the right when you add tracking to the route, then it sounds like there is an issue with reachability towards 4.2.2.2. Perhaps it is dropped in a firewall in the path or a routing issue. Are you able to ping 4.2.2.2 from the ASA? What if you tried using 8.8.8.8?

--
Please remember to select a correct answer and rate helpful posts

V Rajshekar · ‎05-02-2018

Hi @Marius Gunnerud

I am able to ping 4.2.2.2 and 8.8.8.8 before adding the SLA config.

However, as soon as I add it, the default route is removed and failover does not happen.

Marius Gunnerud · ‎05-02-2018

could you post the full output of show route before and after you add the tracking to the default route.

Also provide the full output of show sla monitor operational-state once you have added tracking.

--
Please remember to select a correct answer and rate helpful posts