Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7387
Views
15
Helpful
2
Replies

Single ASA - dual ISP failover

denis.ivitchev
Level 1
Level 1

‎01-13-2017 07:29 AM - edited ‎03-12-2019 01:46 AM

I have single 5508 running v.9.5.

No router in front of the ASA.

Failover is set up as shown in the configuration below. 

I have two questions, first, when primary ISP (Outside-TW) goes down and backup ISP (outside) becomes active, will it switch back automatically to primary ISP once it becomes available? Or am I missing some pieces in the config?

And second, what if the problem with primary ISP is further down the path than the gateway, how do I monitor both, the default gateway and for example 8.8.8.8?


Thank you.

interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 2.2.2.2 255.255.255.252
!
interface GigabitEthernet1/3
nameif Outside-TW
security-level 0
ip address 1.1.1.2 255.255.255.248

route outside 0.0.0.0 0.0.0.0 2.2.2.1 11 track 1
route Outside-TW 0.0.0.0 0.0.0.0 1.1.1.1 1 track 2

sla monitor 1
type echo protocol ipIcmpEcho 2.2.2.1 interface outside
frequency 10
sla monitor schedule 1 life forever start-time now

sla monitor 2
type echo protocol ipIcmpEcho 1.1.1.1 interface Outside-TW
frequency 10
sla monitor schedule 2 life forever start-time now

track 1 rtr 1 reachability
!
track 2 rtr 2 reachability

Labels:
2 Replies 2

Rahul Govindan
VIP Alumni
VIP Alumni

‎01-13-2017 04:39 PM

To answer your questions:

1) Yes, the traffic should fail back over to the the primary ISP as the initial default route should show up back on the routing table. You config has a potential problem - both primary and backup default routes have the same metric (1). You should ideally have the backup route with a higher metric so that it takes effect only when the primary route is not longer present. You also do not need a track on your backup route as the route should always be up as backup. You can use the following guide as example:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118962-configure-asa-00.html

2) Keeping the tracking as 8.8.8.8 has an advantage of being to track both gateway and other devices in the path. But if you keep only gateway you cannot check anything beyond. Again, this is a call you have to take on what you want to track. My recommendation would be to track 8.8.8.8. In any case, test and make sure that the tracking does not keep going down with that config.

sistematico
Level 1
Level 1

‎11-07-2017 10:31 AM - edited ‎11-07-2017 10:41 AM

this is the Right configuration you need

 

sla monitor 9
type echo protocol ipIcmpEcho 8.8.8.8 interface Primary_ISP
num-packets 3
sla monitor schedule 9 life forever start-time now


track 9 rtr 9 reachability


route Primary_ISP 0.0.0.0 0.0.0.0 1.1.1.1 track 9
route Backup_ISP 0.0.0.0 0.0.0.0 2.2.2.2 10

 

the number "10" on the second routes is the AD which has to be higher than the primary but if you want autofailover you should never you the AD as 255 on the secondary route

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card