Solved: Re: IP SLA/PBR behavior for Firepower

ryan14 · ‎05-03-2021

We have an FTD with two ISPs where Guest traffic PBR policy uses the backup circuit. I am wondering though, is it possible to use IP SLA in conjunction with PBR so that if this circuit has issues, it falls back to the other circuit? Or is the PBR always going to be in effect?

rschlayer · ‎05-03-2021

Hello @ryan14

You can configure an IP SLA track and add that track in the set clause of your route map. When the track goes down the device will route the device using normal route lookup.

See here: https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/route-policy-based.html#ID-2182-00000032

BR
Rick

View solution in original post

rschlayer · ‎05-03-2021

Hello @ryan14

You can configure an IP SLA track and add that track in the set clause of your route map. When the track goes down the device will route the device using normal route lookup.

See here: https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/route-policy-based.html#ID-2182-00000032

BR
Rick

ryan14 · ‎05-03-2021

Thank you for that info. I'm still a little confused. If I have a default route pointing to the other (primary) circuit, and the ip sla responder is up (because the primary circuit is) how does the FTD check the availability of the backup circuit, if the default route on the FTD is sending traffic via the primary? Is there a way to specify the source interface?

rschlayer · ‎05-07-2021

In the IP SLA Track you define the interface to use for pinging, if the interface is down, or the GW for that Interface is down, the ping fails and therefore the track fails.

IP SLA/PBR behavior for Firepower

dual internet links NATing with PBR and IP SLA

Troubleshoot IP SLA on Multipod PBR

Static Routing IP SLA and PBR Slides

Firepower Failover behavior

Firepower 1010 ip based VPN access prevention