Re: How to track global DNS from secondary ISP on ASA.(Load ssharing) ?

chintan0111 · ‎12-18-2017

I am using ASA (vers. 9.6) with firepower services and SFR modules are managed by FMC.

We have two ISP directly connected to ASA. and I configured ISP1 as primary by configuring static route.

with tracking.

I want to load share traffic on source ip based. So for ISP2 i am not able track or ping 4.2.2.2 i can onlly ping or track ISP2 gtaeway ip.

So How can i track or ping global dns 4.2.2. from ISP2.Because sometime Gateway of ISP is up bt theh internet is not working still.

Please find below run-config.

route-map equal-access permit 10

match ip address ISP1-LB

set ip next-hop verify-availability x.x.x.x 1 track 10

set ip next-hop verify-availability y.y.y.y 2 track 20

!

route-map equal-access permit 20

match ip address ISP2-LB

set ip next-hop verify-availability y.y.y.y 1 track 20

set ip next-hop verify-availability x.x.x.x 2 track 10

sla monitor 1

type echo protocol ipIcmpEcho 4.2.2.2 interface ISP1

frequency 5

sla monitor schedule 1 life forever start-time now

sla monitor 10

type echo protocol ipIcmpEcho 4.2.2.2 interface ISP1

frequency 5

sla monitor schedule 10 life forever start-time now

sla monitor 20

type echo protocol ipIcmpEcho y.y.y.y interface ISP2

frequency 5

sla monitor schedule 20 life forever start-time now

route ISP1 0.0.0.0 0.0.0.0 x.x.x.x 1 track 1

route ISP2 0.0.0.0 0.0.0.0 y.y.y.y 10

Marvin Rhoads · ‎12-19-2017

An ASA really doesn't do load sharing across different ISPs / gateways.

Your default route via ISP2 will always have administrative distance of greater cost (10) than the default route via ISP1 (1) (unless the ISP1 gateway is unreachable). That is why you will not be able to reach the upstream tracked address via that path.

chintan0111 · ‎01-07-2018

Thanks Marvin,

Is there any other we can achieve the same, Like we can use Router ahead of ASA and can track upstream from ISP2?