Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
201
Views
0
Helpful
4
Replies

R1 Goes down

agha talha
Level 1
Level 1

‎02-19-2024 01:37 AM

Scenario:

If R1 goes down, How can we forward traffic up stream from ASA-1 which is PRIMARY and mode is ACTIVE.

aghatalha_0-1708335339732.png

 

 

0 Helpful
4 Replies 4

Marius Gunnerud
VIP
VIP

‎02-19-2024 02:26 AM

If  R1 goes down, as in fails completely, and R1 is directly connected to the ASA-1 firewall, traffic will automatically failover to R2 since ASA-1 will also failover when detecting the failed interface (assuming default settings for failover have not been changed).

The issue you will run into is if R1 does not fail but the links to ISP does fail.  In this case you would need to either track the ISP using IP SLA and call that in the HSRP configuration, or configure dynamic routing between R1 and R2 so if ISP fails on R1 it will send traffic to R2.  Then when ISP on R1 is restored, traffic will automatically be restored back to normal (handled by dynamic routing).

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

agha talha
Level 1
Level 1
In response to Marius Gunnerud

‎02-19-2024 02:54 AM

Thanks, 
could you please tell me how can I call in IP SLA in HSRP?
and also can you share the link where we can confirm the ASA will also failover when the R1 link goes down?

 

0 Helpful

Marius Gunnerud
VIP
VIP
In response to agha talha

‎02-19-2024 03:09 AM

could you please tell me how can I call in IP SLA in HSRP?

ip sla monitor 10
type echo protocol ipIcmpEcho 8.8.8.8
ip sla monitor schedule 1 life forever start-time now

track 5 rtr 10 reachability

interface Gig0/1
standby 1 track 5 decrement 20

and also can you share the link where we can confirm the ASA will also failover when the R1 link goes down?

Bear in mind the link in question is the link between R1 and the ASA and it needs to be directly connected to the ASA in which case HSRP is not needed.  If you place a switch between the ASAs and R1 and R2 ASAs will not failover if R1 LAN link fails and will still go to HSRP vIP.

You can refer to THIS link for failover conditions on the ASA.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

MHM Cisco World
VIP
VIP

‎02-19-2024 02:53 AM

You need SW connect Outside of both ASA HA' if there is then 

You already config HSRP between edge router'

In ASA config defualt route toward HSRP VIP of both edge router

Here if R1 failed the R2 will be active and always traffic from ASA HA send to active edge router 

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card