Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2683
Views
0
Helpful
1
Replies

ISP failover on ASAs (delaying)

Jeff Cooper
Level 1
Level 1

‎08-28-2011 07:32 AM - last edited on ‎03-25-2019 05:46 PM by Community Manager

Good morning,

I've got a question about failover on ASAs.  Comparing to a cisco router, on a router, I can setup an sla monitor and an icmp-echo.  Under the track I can say delay down and delay up.  Meaning, if I ping every 15 seconds, I can say delay down 45 seconds.  What this does is wait for 1 minute of unsuccessful pings of an internet ip before triggering failover to a backup ISP.  The first ping at 15 seconds tests down, then there's 3 more tests (45 seconds), before the track says "ok this ping destination is down."   Really nice if there's a large load on the router that's the cause of the timeouts, or if the ISP link is simply shakey from time to time.

I opened a tac case on the ASA version and I couldn't get a straight response, nor a direct example.  After 3 weeks and much discussion, I closed the case.

I've some clients with shakey connections (dozen or so out of 400-500 of em), and their failover is triggering at the slightest pause on the line.  I've set the ipicmpecho ip in an access list and prioritized traffic to the IP in a service policy on the outside interface.

I'm aware of timeouts, and the timeouts cannot be greater then the frequency.   So i'm still contained within the single test window.  I've set timeouts to 20000 in a 20 second frequency, and still trigger failover when my ping times start exceeding 2000ms under a heavy load.

I've even tried multiple tracks on various internet ips, and then tried to stack multiple default gateways out the same interface.  IE, If one internet ip fails, there's still 2 tracks that might be responding.  Thus all three internet ips and weighted routes need to fail before falling to the lowest weighted default gateway out the backup ISP.  ASA only lets me do 1 tracked route per gateway.

Specifically,  if i wanted to setup a test every 15 seconds on an ASA, but delay down for 3 more subsequent tests, what would be the command structure for this (if any available on the ASA?).    

Cisco TAC said do this :  (does not delay down)

sla monitor 123

tyep echo protocol pipicmpecho x.x.x.x interface outside

num-packets 5

timeout 20000

freq 20

track 1 rtr 123 reachability

Running 8.25

Thanks

1 person had this problem
Labels:
0 Helpful
1 Reply 1

mirober2
Cisco Employee
Cisco Employee

‎08-29-2011 06:55 AM

Hi Jeff,

As you've found, this is not currently possible on the ASA platform. The ASA will flip over to the backup route/ISP as soon as the first test fails.

There is an enhancement request filed to get the "delay down" functionality added to the ASA:

CSCti67445 - ENH: Implement "delay up/down" command in ASA Object Tracking

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCti67445

However, it is not currently implemented. Your best bet would be to work with your Cisco account team to help push for this feature to be implemented in a future release.

Hope that helps.

-Mike

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card