cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7390
Views
9
Helpful
32
Replies

Requirement to shutdown FTD inside interface via SLA

Hello,

We have a requirement to shutdown the inside interface of our FTD once the internet link on the upstream ISP router goes down. The logical connectivity is as follows.

Core Switch---->(inside)FTD(outside)----->(inside)ISP Router(outside)----->Internet

Initially I planning to use an sla monitor (ping to 8.8.8.8)and use it in an EEM script to shutdown the interface. But I found that FTD/ASA does not support event track command. Please advise if there is any other way to achieve my requirement.

Thanks

1 Accepted Solution

Accepted Solutions

event syslog id nnnnnn [-nnnnnn] [occurs n] [period seconds] <<- before you ask friend I search for solution try use occur 
the add must use occur 1
the remove must use occur 2

try this because I afraid the FTD always use first one add or remove 

I will try this solution and try other and share here tonight. 
thanks 
MHM

View solution in original post

32 Replies 32

@SHABEEB KUNHIPOCKER you can use the ASA EEM syntax with FlexConfig on the FTD.

What is your scenario to shutdown the FTD interface?...there might be a more elegant solution.

Hi Rob,

The issue that the FTD is running ospf with core switch. The FTD has DMZ interface where they have an ESA. The customer has two data centers and when we do failover to the DC2, we need these DC1 DMZ routes to be removed from the routing table. My plan was to track an internet IP and shutdown the inside interface of FTD so that the ospf will be down from FTD to core and the DMZ route will be removed from the downstream devices.

From first view you can use flexconfig to config eem in ftd.

Hi,

I have seen this link. But as stated there is no option to configure event track. In my case I need to monitor an internet IP and when it is unreachable I need to run EEM. So I don’t think I can use the solution in the link.

@SHABEEB KUNHIPOCKER event track is not supported on ASA and FTD. I just had a thought why dont you use the syslog ID "718063    Error Message %ASA-5-718063: Interface interface_name is down" and "718064  Error Message %ASA-5-718064: Admin. interface interface_name is down". as syslog are supported on EEM applet

on based of these log ID you can create the EEM applet and run it.

please do not forget to rate.

Yes you correct 

Even track not support' 

You can use syslog' but syslog for what 

Here the Q

The answer you can use static route with track and use syslog for add remove this route to rib and config eem. 

syslog can be use against the "name if" here is the log id and description " "718063 Error Message %ASA-5-718063: Interface interface_name is down"

please do not forget to rate.

He use IP SLA because the FTD side not down when ISP interface down'

So we will use static route only for eem and detect it add remove.

In that case there are the syslog id need to be configured.


609001
302020
302021
609002
622001

 

I get these syslog id from Cisco Document 

 

syslog.PNG

https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog.pdf

please do not forget to rate.

I am far from my PC I already run lab using this syslog, hope share this lab tonight 

Hello,

 

Our issue is that we cannot use static route as we are already running ospf in the FTD, and we need to remove some subnets from getting advertised to ospf when the upstream internet link goes down.

you detect the 8.8.8.8 use static route to 8.8.4.4, we talk here about any static route not specific one 
route OUT 8.8.4.4 255.255.255.255 <ISP> track x 
then use EEM and shut down or remove net under OSPF 

@SHABEEB KUNHIPOCKER you can configure the Interface syslog id as mentioned in my earlier post and run the EEM applet aganist it. If this is production network which I assume it is. There is a less chance of false positive as you or some one else from network team will shutting the any interface of the firewall. so syslog id 718063 and 718064 is your best bet. unless otherwise, you get the syslog id of the ospf adjacency syslog id and run against the EEM applet.

 

I am afraid you only have these options with EEM applet.

please do not forget to rate.
Review Cisco Networking for a $25 gift card