Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7357
Views
9
Helpful
32
Replies

Requirement to shutdown FTD inside interface via SLA

Go to solution
SHABEEB KUNHIPOCKER
Level 3
Level 3

‎05-20-2023 11:00 AM

Hello,

We have a requirement to shutdown the inside interface of our FTD once the internet link on the upstream ISP router goes down. The logical connectivity is as follows.

Core Switch---->(inside)FTD(outside)----->(inside)ISP Router(outside)----->Internet

Initially I planning to use an sla monitor (ping to 8.8.8.8)and use it in an EEM script to shutdown the interface. But I found that FTD/ASA does not support event track command. Please advise if there is any other way to achieve my requirement.

Thanks

0 Helpful
32 Replies 32

Go to solution
NUSFETLEN
Level 1
Level 1
In response to NUSFETLEN

‎05-28-2023 08:30 PM

The below is what I've setup. It is working perfect. 
As soon as the 8.8.8.8 is unreachable, the interface e1/3 goes down.
as soon as the 8.8.8.8 is reachable, the interface e1/3 goes up.

# Create a static route to reach 8.8.8.8
route outside 8.8.8.8 255.255.255.255 x.x.x.x

# Create IP SLA to PING 8.8.8.8
sla monitor 10
type echo protocol ipIcmpEcho 8.8.8.8 interface outside
frequency 10
sla monitor schedule 10 life forever start-time now

# Create tracking and link it to the SLA
track 1 rtr 10 reachability

# Create a static route to reach 8.8.4.4 with the tracking 
route outside 8.8.4.4 255.255.255.255 x.x.x.x 1 track 1

# Create two EEM instances to shutdown the interface e1/3 and bring it back up
event manager applet DMZ-Down
description "ShutDown Interfaces"
event syslog id 317078
action 1 cli command "enable"
action 2 cli command "config t"
action 3 cli command "interface Ethernet1/3"
action 4 cli command "shutdown"
action 5 cli command "end"
action 6 cli command "wr"
output none
event manager applet DMZ-Up
description "Up Interfaces"
event syslog id 317077
action 1 cli command "enable"
action 2 cli command "config t"
action 3 cli command "interface Ethernet1/3"
action 4 cli command "no shutdown"
action 5 cli command "end"
action 6 cli command "wr"
output none

0 Helpful

Go to solution
NUSFETLEN
Level 1
Level 1
In response to NUSFETLEN

‎05-28-2023 09:58 PM

It seems I was too fast by saying the setup I made works perfect. It was running OK at the beginning, however, later it caused the interface e1/3 to flop (Up and Down). Moreover, the Controle CPU increased up to 80%. So, don't try this setup in production. I'm very sorry for the confusion.

0 Helpful

Go to solution
SHABEEB KUNHIPOCKER
Level 3
Level 3
In response to MHM Cisco World

‎07-18-2023 12:36 AM

Apologies for the late response. I used two scripts and used occurrence value as 2 in the second script which will bring the interfaces back. I have monitored it for around 2 months and seems to work fine. Thanks a lot guys for your support.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card