Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
349
Views
0
Helpful
2
Replies

SLA MONITOR NOT WORKING AS EXPECTED FOR DEFAULT ROUTE AND VPN

bassono_t
Level 1
Level 1

‎03-04-2011 10:00 AM - edited ‎03-11-2019 01:00 PM

Hi all,

I have a central site with few remotes sites connected this way:

      1) A pair of Cisco ASA 5520 deployed in ACTIVE/PASSIVE redundancy at the edge of all sites including the central

      2) ALL sites are interconnected by VSAT via the central site; the VSAT is the primary means of exchange between sites: Data + VoIP

      3) Each site has a local Internet connection acting as the primary means to the Internet with. The central has more bandwith for Internet so as to provide the remotes sites a seconday means to the Internet via the VSAT in case the local Internet connection fails.

      4) Each remote site has a IPSec L2L VPN connection with the central to be used as backup for inter sites traffic when the primary (VSAT) fails

      5) Each remote site has a tracked default route with default AD to the local ISP gateway and backup default route with AD = 254 to the Central site via VSAT

      6) The central site has tracked inter sites traffic routes with default AD to all remotes site via the VSAT and backup inter sites traffic routes with AD = 254 to the remote site via VPN.

      7) Each remote site has tracked inter sites traffic routes with default AD to the central site via VSAT and backup inter sites routes with AD = 254  via VPN to the Central site

The problem am experiencing is this: When the VSAT goes down at a remote site and the VPN comes up, there no seamliness switchover the secondary between the remotes and central site. The same happens when the Internet goes down at a remote site. When I check the status of my tracks, sometimes it shows up while the tracked object is down actually.

When I remove the tracked routes then, the backup routes appear in the routing table and everything work

What am i missin? Does it have to the do with the Failover, the VPN or the devices themselves.

Am using static routing throughout with ASA sw 7.2(2) on all systems.

Thanks for your help.

Labels:
0 Helpful
2 Replies 2

Maykol Rojas
Cisco Employee
Cisco Employee

‎03-04-2011 05:16 PM

Hi,

What do you mean when you say seamless? To summary, you have brach offices with a primary Link and then a VPN link that goes to the main site, if the internet goes down, it will go to the VPN right?

We need to take in consideration that the tunnel would need to go up and until then you will be able to pass traffic, you may need to twick the settings for your Tunnels in order to avoid the SA to be deleted.

Let me know that you think.

Mike Rojas

Mike
0 Helpful

bassono_t
Level 1
Level 1
In response to Maykol Rojas

‎03-05-2011 12:00 PM

Hi Mike,

Thanks for replying. What I mean by seamless switchover is that when the primary link (primary Internet route via the loca ISP) goes down, their is no switchover to the secondary route for Internet via the VSAT.

The VPN comes up allright when the VSAT goes down but the ASA at the main site still maintain the primary routes to the remote site via the VSAT and not the secondary routes via the VPN.

All I mean is that my configured sla monitors with the tracked routes don't work automatically as expected meanwhile when I manually delete the primary routes (for the Internet on the remotes site when the local ISP goes down or the routes to the remote sites via the VSAT), then the secondary routes (to the Internet through the central site from the remote sites via the VSAT and the routes to the remote sites via the VPN) start appearing in the routing table and then being used.

I hope my explanation is clear!

Thanks for helping.

Rgds,

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card