I would suggest is to remove the SLA monitoring configuration and then try to reach the addresses that you are using for monitoring, if they are not reachable and you remove the line that I told you to remove then the ISP is blocking ICMP or you have some other configuration that is conflicting with the ICMP portion that we might resolve if you send me the packet-tracer that I requested.

Please check with a packet-tracer how the PIX would consider to route to that destine address from a LOCAL address (PC).

packet-tracer input inside icmp 8 0 detail

Do you still need assistance?

Hi Jumora,

Yes we are still troubleshooting this issue but I have been tied up on a big VPN build recently.

I think this issue maybe a routing one and I need to go through the config line by line. This is assumed because for some reason the routing table is not flushing when ISP 1 comes back up, which I know is triggered by the track command but could be something unrelated as you have said. Both routes are static so it should all be fine. The AD is also correct with 1 for ISP 1 and 254 for ISP 2.

Just to clarify the ping results. The SLA monitor is sending pings to the ISP 1 gateway, if this goes down and therefore is not reachable ISP 2 comes into to play, all good so far. Then when ISP 1 comes back up and is therefore reachable by a simple ping, it should then put the ISP 1 route back in the routing table, which is not happening.

I have not had time as yet to run packet tracer as the system is in a live network.

Any more thoughts ?

We can progress as soon as you can get me the packet-tracer, I think it is key to resolving this issue.

If this persist after confirming that the SLA monitored IP address is available and packet tracer does not demonstrate anything I would suggest to upgrade to interim release as I have not found a bug but this could be an issue with the code.