06-14-2016 03:17 AM - edited 03-12-2019 12:53 AM
Good day Experts
I have a problem; two ASAs 5555 are configured in Active/Standby HA. The internet facing interfaces connect to a switch, then ISP routers. The failover links go through a nexus switch spanned across two data centers using high-speed fiber.
If the primary site internet line fails, the ASAs cannot detect the break and initiate a failover since they go through a switch. In most cases, switches are always up, therefore interface monitoring doesn't help.
Is it possible to use route tracking as a failover trigger when running active/standby high availability?
If not, what other ways I can use to trigger failover in addition to chassis and interface monitoring?
Thank you
-ETlou
Solved! Go to Solution.
06-14-2016 04:42 PM
Hi
The failover occurs if 1 of the chosen interfaces is going to failed status. If you are doing a shutdown on active box, the failover sync occurs and it's shutting down the same interface on the other box.
I would suggest to do IP SLA and EEM script on switch side to check if the ISP port is UP or DOWN. If ISP port goes to down then you can trigger a shutdown of the outside ASA interface port on this same switch. At this stage, ASA outside interface has a failed status and if this interface is part of your monitored interface then a failover is triggered by ASA.
Here a sample config of IP SLA with EEM: (you need to adapt IP address of IP SLA and interface port of outside ASA interface on the switch)
!
ip sla 1
icmp-echo 192.168.0.1
frequency 5
ip sla schedule 1 life forever start-time now
!
track 1 ip sla 1 reachability
!
event manager applet DownInterfaceCore
event track 1 state down
action 2.0 cli command "enable"
action 2.5 cli command "config t"
action 2.6 cli command "interface GigabitEthernet0/1"
action 2.7 cli command "no shutdown"
action 3.0 syslog msg "Interface GigabitEthernet0/1 was unshut via EEM"
!
!
event manager applet UPInterfaceCore
event track 1 state up
action 2.0 cli command "enable"
action 2.5 cli command "config t"
action 2.6 cli command "interface GigabitEthernet0/1"
action 2.7 cli command "shutdown"
action 3.0 syslog msg "Interface GigabitEthernet0/1 was shutdown via EEM"
Thanks:
PS: if this solved your issue, please don't forget to rate and mark as correct answer
06-14-2016 04:42 PM
Hi
The failover occurs if 1 of the chosen interfaces is going to failed status. If you are doing a shutdown on active box, the failover sync occurs and it's shutting down the same interface on the other box.
I would suggest to do IP SLA and EEM script on switch side to check if the ISP port is UP or DOWN. If ISP port goes to down then you can trigger a shutdown of the outside ASA interface port on this same switch. At this stage, ASA outside interface has a failed status and if this interface is part of your monitored interface then a failover is triggered by ASA.
Here a sample config of IP SLA with EEM: (you need to adapt IP address of IP SLA and interface port of outside ASA interface on the switch)
!
ip sla 1
icmp-echo 192.168.0.1
frequency 5
ip sla schedule 1 life forever start-time now
!
track 1 ip sla 1 reachability
!
event manager applet DownInterfaceCore
event track 1 state down
action 2.0 cli command "enable"
action 2.5 cli command "config t"
action 2.6 cli command "interface GigabitEthernet0/1"
action 2.7 cli command "no shutdown"
action 3.0 syslog msg "Interface GigabitEthernet0/1 was unshut via EEM"
!
!
event manager applet UPInterfaceCore
event track 1 state up
action 2.0 cli command "enable"
action 2.5 cli command "config t"
action 2.6 cli command "interface GigabitEthernet0/1"
action 2.7 cli command "shutdown"
action 3.0 syslog msg "Interface GigabitEthernet0/1 was shutdown via EEM"
Thanks:
PS: if this solved your issue, please don't forget to rate and mark as correct answer
06-15-2016 12:28 AM
Hi
Thank you for the configuration,. I will test this and let you know if it works.
Regards
-Elias
06-22-2016 11:56 PM
Good day
This worked 100%. I have modified the script as follows:
ip sla 1
icmp-echo 1.1.1.1
frequency 5
ip sla schedule 1 life forever start-time now
!
event manager applet DownInterfaceCore
event syslog pattern "%TRACKING-5-STATE: 1 ip sla 1 state Up->Down"
action 2.0 cli command "enable"
action 2.5 cli command "config t"
action 2.6 cli command "interface FastEthernet1/0/1"
action 2.7 cli command "shutdown"
action 3.0 syslog msg "Interface FastEthernet1/0/1 was shutdown via EEM"
event manager applet UPInterfaceCore
event syslog pattern "%TRACKING-5-STATE: 1 ip sla 1 state Down->Up"
action 2.0 cli command "enable"
action 2.5 cli command "config t"
action 2.6 cli command "interface FastEthernet1/0/1"
action 2.7 cli command "no shutdown"
action 3.0 syslog msg "Interface FastEthernet1/0/1 was unshut via EEM"
I am also checking physical ports on the switch:
event manager applet DownInterfacePRI
event syslog pattern "Interface FastEthernet1/0/11, changed state to down"
action 2.0 cli command "enable"
action 2.5 cli command "config t"
action 2.6 cli command "interface FastEthernet1/0/2"
action 2.7 cli command "shutdown"
action 3.0 syslog msg "Interface FastEthernet1/0/2 was shutdown via EEM"
!
event manager applet UPInterfacePRI
event syslog pattern "Interface FastEthernet1/0/11, changed state to up"
action 2.0 cli command "enable"
action 2.5 cli command "config t"
action 2.6 cli command "interface FastEthernet1/0/2"
action 2.7 cli command "no shutdown"
action 3.0 syslog msg "Interface FastEthernet1/0/2 was unshut via EEM"
!
event manager applet DownInterfaceSEC
event syslog pattern "Interface FastEthernet1/0/12, changed state to down"
action 2.0 cli command "enable"
action 2.5 cli command "config t"
action 2.6 cli command "interface FastEthernet1/0/1"
action 2.7 cli command "shutdown"
action 3.0 syslog msg "Interface FastEthernet1/0/1 was shutdown via EEM"
!
event manager applet UPInterfaceSEC
event syslog pattern "Interface FastEthernet1/0/12, changed state to up"
action 2.0 cli command "enable"
action 2.5 cli command "config t"
action 2.6 cli command "interface FastEthernet1/0/1"
action 2.7 cli command "no shutdown"
action 3.0 syslog msg "Interface FastEthernet1/0/1 was unshut via EEM"
Reason why I use syslog pattern is because the switch won't let me use "event track 1 state up"
06-23-2016 04:28 AM
Ok nice the hear that's ok.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide