cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2147
Views
5
Helpful
3
Replies

IP SLA/PBR behavior for Firepower

ryan14
Level 1
Level 1

We have an FTD with two ISPs where Guest traffic PBR policy uses the backup circuit. I am wondering though, is it possible to use IP SLA in conjunction with PBR so that if this circuit has issues, it falls back to the other circuit? Or is the PBR always going to be in effect?

1 Accepted Solution

Accepted Solutions

rschlayer
Level 4
Level 4

Hello @ryan14 

You can configure an IP SLA track and add that track in the set clause of your route map. When the track goes down the device will route the device using normal route lookup.

See here: https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/route-policy-based.html#ID-2182-00000032

BR
Rick

View solution in original post

3 Replies 3

rschlayer
Level 4
Level 4

Hello @ryan14 

You can configure an IP SLA track and add that track in the set clause of your route map. When the track goes down the device will route the device using normal route lookup.

See here: https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/route-policy-based.html#ID-2182-00000032

BR
Rick

Thank you for that info. I'm still a little confused. If I have a default route pointing to the other (primary) circuit, and the ip sla responder is up (because the primary circuit is) how does the FTD check the availability of the backup circuit, if the default route on the FTD is sending traffic via the primary? Is there a way to specify the source interface?

In the IP SLA Track you define the interface to use for pinging, if the interface is down, or the GW for that Interface is down, the ping fails and therefore the track fails.

Review Cisco Networking for a $25 gift card