11-08-2012 11:43 PM - edited 03-11-2019 05:21 PM
Hi,
I have an ASA 5510 and two IPS connections. I need ISP2 to take over when ISP1 does not respond. I have followed the following link ASA/PIX 7.x: Redundant or Backup ISP Links Configuration Example and as far as i can see this part is working. I disable interface for ISP1 and the routing table changes its static route to ISP2. When i enable ISP1 again the static route changes to ISP1. However no traffic flows to the outside. I have set up a nat rule that is the same as for wan1.
Any ides on what i can be doing wrong?
/Hilmar
Solved! Go to Solution.
11-09-2012 06:00 AM
Base on the packet tracer output, it is correctly translating to WAN2 and routing towards WAN2.
Are you sure that your second ISP is up and running?
From the ASA itself, are you able to ping to 4.2.2.2 when WAN2 is the active ISP?
11-09-2012 05:13 AM
Do you mean that no traffic is flowing to ISP2 when the connection failover to ISP2?
OR, no traffic is flowing to ISP1 when you reenable ISP1?
What is the version of your ASA?
Can you share your configuration pls.
11-09-2012 05:18 AM
Hi,
I have attached the config.
The traffic does not flow to ISP2 (Wan2). There is no problem with ISP1 (Wan1), trafic there starts flowing when the interface is enabled. the routing table is also changed to its original state.
/H
11-09-2012 05:24 AM
Thanks.
What are you trying to access when ISP1 is down?
If you perform continuous ping to 4.2.2.2, does it timeout a few times, and eventually receive a reply?
11-09-2012 05:32 AM
Normal browsing, I get no reply what ever the website i try in.
Ping to for example google DNS (8.8.8.8) will also fail.
I get Request timed out with ping 4.2.2.2 -t on a workstation on the inside interface.
/H
11-09-2012 05:38 AM
Pls check the xlate table to see if the xlate is even being created with ISP2 address.
Also if you perform packet tracer, what do you get?
11-09-2012 05:55 AM
I hope this is what you are talking about
Result of the command: "show xlate interface WAN2"
19 in use, 421 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
e - extended
Here is a packet trace: (as far ass i see it is allowed)
Result of the command: "packet-tracer input Inside tcp 10.42.10.32 80 173.194.32.5 80 xml"
in 0.0.0.0 0.0.0.0 WAN2
access-group Internt_access_in in interface Inside
access-list Internt_access_in extended permit object-group DM_INLINE_SERVICE_7 any any
access-list Internt_access_in remark Allows all traffic from DMZ1/DMZ2 and 10.42.3.0 network
object-group service DM_INLINE_SERVICE_7
service-object tcp-udp destination eq www
service-object tcp destination eq https
object network obj-any-wan2
nat (Inside,WAN2) dynamic interface
Dynamic translate 10.42.10.32/80 to 195.198.115.159/80
New flow created with id 605988, packet dispatched to next module
i have a rule that allows ping and i got alot of hits on that rule when i tested ping 4.2.2.2
but i allso got a lot of hits on my last rule that is access-list Internt_access_in line 13 extended deny ip any any
Can it be that the traffic is not let back in again?
/H
11-09-2012 06:00 AM
Base on the packet tracer output, it is correctly translating to WAN2 and routing towards WAN2.
Are you sure that your second ISP is up and running?
From the ASA itself, are you able to ping to 4.2.2.2 when WAN2 is the active ISP?
11-09-2012 06:37 AM
I cannot ping 4.2.2.2 from the ASA when ISP2 is active.
I have sent a mail to the ISP to get answers from there end.
/H
11-12-2012 02:27 AM
The problem was that the ISP had not updated their ARP table
Thanks alot for your help.
/Hilmar
11-12-2012 03:19 AM
Thanks for the update. Good to hear all is good now.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide