Solved: One ASA 5510 two ISP

IT Asitis · ‎11-08-2012

Hi,

I have an ASA 5510 and two IPS connections. I need ISP2 to take over when ISP1 does not respond. I have followed the following link ASA/PIX 7.x: Redundant or Backup ISP Links Configuration Example and as far as i can see this part is working. I disable interface for ISP1 and the routing table changes its static route to ISP2. When i enable ISP1 again the static route changes to ISP1. However no traffic flows to the outside. I have set up a nat rule that is the same as for wan1.

Any ides on what i can be doing wrong?

/Hilmar

Jennifer Halim · ‎11-09-2012

Base on the packet tracer output, it is correctly translating to WAN2 and routing towards WAN2.

Are you sure that your second ISP is up and running?

From the ASA itself, are you able to ping to 4.2.2.2 when WAN2 is the active ISP?

View solution in original post

Jennifer Halim · ‎11-09-2012

Do you mean that no traffic is flowing to ISP2 when the connection failover to ISP2?

OR, no traffic is flowing to ISP1 when you reenable ISP1?

What is the version of your ASA?

Can you share your configuration pls.

IT Asitis · ‎11-09-2012

Hi,

I have attached the config.

The traffic does not flow to ISP2 (Wan2). There is no problem with ISP1 (Wan1), trafic there starts flowing when the interface is enabled. the routing table is also changed to its original state.

/H

Jennifer Halim · ‎11-09-2012

Thanks.

What are you trying to access when ISP1 is down?

If you perform continuous ping to 4.2.2.2, does it timeout a few times, and eventually receive a reply?

IT Asitis · ‎11-09-2012

Normal browsing, I get no reply what ever the website i try in.

Ping to for example google DNS (8.8.8.8) will also fail.

I get Request timed out with ping 4.2.2.2 -t on a workstation on the inside interface.

/H

Jennifer Halim · ‎11-09-2012

Pls check the xlate table to see if the xlate is even being created with ISP2 address.

Also if you perform packet tracer, what do you get?

IT Asitis · ‎11-09-2012

I hope this is what you are talking about

Result of the command: "show xlate interface WAN2"

19 in use, 421 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
e - extended

Here is a packet trace: (as far ass i see it is allowed)

Result of the command: "packet-tracer input Inside tcp 10.42.10.32 80 173.194.32.5 80 xml"

1
ROUTE-LOOKUP
input
ALLOW

in 0.0.0.0 0.0.0.0 WAN2

2
ACCESS-LIST
log
ALLOW

access-group Internt_access_in in interface Inside
access-list Internt_access_in extended permit object-group DM_INLINE_SERVICE_7 any any
access-list Internt_access_in remark Allows all traffic from DMZ1/DMZ2 and 10.42.3.0 network
object-group service DM_INLINE_SERVICE_7
service-object tcp-udp destination eq www
service-object tcp destination eq https

3
CONN-SETTINGS

ALLOW

4
IP-OPTIONS

ALLOW

5
NAT

ALLOW

object network obj-any-wan2
nat (Inside,WAN2) dynamic interface

Dynamic translate 10.42.10.32/80 to 195.198.115.159/80

6
IP-OPTIONS

ALLOW

7
FLOW-CREATION

ALLOW

New flow created with id 605988, packet dispatched to next module

Inside
up
up
WAN2
up
up
allow

i have a rule that allows ping and i got alot of hits on that rule when i tested ping 4.2.2.2

but i allso got a lot of hits on my last rule that is access-list Internt_access_in line 13 extended deny ip any any

Can it be that the traffic is not let back in again?

/H

Jennifer Halim · ‎11-09-2012

Base on the packet tracer output, it is correctly translating to WAN2 and routing towards WAN2.

Are you sure that your second ISP is up and running?

From the ASA itself, are you able to ping to 4.2.2.2 when WAN2 is the active ISP?

IT Asitis · ‎11-09-2012

I cannot ping 4.2.2.2 from the ASA when ISP2 is active.

I have sent a mail to the ISP to get answers from there end.

/H

IT Asitis · ‎11-12-2012

The problem was that the ISP had not updated their ARP table

Thanks alot for your help.

/Hilmar

Jennifer Halim · ‎11-12-2012

Thanks for the update. Good to hear all is good now.