Showing results for 
Search instead for 
Did you mean: 

Devinder Sharma

Dual ASAs running RIP with LAN switch, PBR and Dual ISPs

Hello All,

I am trying to engineer a solution that will use two ASAs, each terminating a different ISP and need to use a single user vlan to use one ISP and all others the second ISP. The inside network is HP Procurve and supports PBR so I can implement next hop on vlan basis. In this scenario, both ASAs will be active (and they will not be in failover mode, they are currently set up as active / failover with both connecting over to same ISP, via an external switch).

Since Procurve switch is not licensed for OSPF, but does allow RIP, so I was thinking of running RIPv2 between two firewalls and the internal switch. And I also need to track the health of ISP circuits via SLA Monitor. And was planning on having ASAs advertize a default route with different metrics and with a route map. Is it possible for me to influence the advertizement of default route by the SLA monitor tracking, so that if ISP fails, then default route is withdrawn and the second firewall witch is advertzing a higher metric default will become prefered by the LAN switch?

I have done this with Juniper and Fortigate firewalls (one each) running OSPF with HP Procurve switches and ISP tracking and both firewalls hardware failover is all covered and works great, but have never implemented IP SLA / SLA monitor for two ASA and two ISP scenario with also the need to do a PBR.

I do notice that I can do default information originate for RIP with Route-map keyword, but cannot figure out the required code for route map tracking the status of ISP object and thus trigger withdrawl of advertizement of default route by associated ASA.

Will appreciate if I can get some advice on this please.


Devinder Sharma


With RIP you and use default information orignate but you can not influence the metric or the default route.

Also to do SLA tracking you need to have both the ISP's on the same ASA.

Also look at this for some more suggestions as you have got routers to facilitate your need



Hi Sachin,

Thanks for your detailed advice. I dont have an ASA to verify, but I did notice soemwhere in an example at Cisco using ASDM for RIP, the screen shot had the route-map and metric options. And I do have a working two ISP and two ASAs running SLA monitor at another customer and failover happens within 30 seconds if an ISP circuit goes down or if the firewall is down. The issue here is the addition of PBR to the mix and a non cisco LAN.

I had proposed a Cisco router, but customer does not have the budget at this time. Else, I could simply use the router to act as customer core router and then run IP SLA thru both ASAs and I can also then run ospf between two ASAs and the router and then all will work.

Please do share if anything else comes to your mind.


Devinder Sharma

Content for Community-Ad