Forgot the second this.

Other thing we can do is ISP failback, i.e, if one ISP fails, traffic can be routed through different ISP. This type of configuration is only supported if you are running on OS version 7.2 or higher-

Failback of ISP works using a new feature called "Static Route Tracking".

The main problem with defining two default static routes with different AD was:

- How to determine if the route with lower AD has failed ??

- The route with lower AD will only be used if the associated interface goes down itself.

Thus, in order to make sure that the current static route is functional we needed something for monitoring

the connectivity using this route.

ICMP was used for this. With Static Route Tracking configured, PIX keeps a check on the static route

using echo-request messages.

When monitoring of a particular route fails, it is removed from the routing table and a previously configured

backup route is used in place of the removed route. A backup route can be another default route with a

higher metric than the existing one.

Following commands can be used for ISP failback:

--> pixfirewall(config)# sla monitor 20

(20 is only a ID here. Valid values are from 1 to 2147483647.)

--> pixfirewall (config-sla-monitor)# type echo protocol ipIcmpEcho 192.168.1.1 interface outside

192.168.1.1 - This is my target IP on which PIX will keep a check. There are options available

on this, but its on your discreation on what you want to keep a check on. For eg:

- We can set PIX to keep a check on some host outside which is accessible via existing static default

route I'm checking.

--> pixfirewall(config)# sla monitor schedule 20 life forever start-time now

- Above command is telling PIX to start monitoring on "sla-id 20" now (start-time now) and

continue monitoring forever (life forever).

Next, I create a "Track ID" to associate a static route entry with the SLA monitoring process.

--> pixfirewall(config)# track 200 rtr 20 reachability

(200 is the Track_id and 20 is the sla-id)

Now we will use above "TRACK" to track a static route on PIX and make sure that the static route is

working fine. This is done using following command:

-> pixfirewall(config)# route outside 0 0 192.168.1.1 1 track 200

PIX will see that a "Track ID" is associated with the static route. PIX will check the TRACK which is supposed to

track the static route as defined in "SLA", here sla-id (20).

The SLA says to monitor forever and start monitoring as soon as SLA is created and the target it will monitor

through the static route is defined above as "192.168.1.1". This was done in the following command.

-> pixfirewall (config-sla-monitor)# type echo protocol ipIcmpEcho 192.168.1.1 interface outside

To summarize:

In order to configure Static Route Tracking for a static route entered manually, following commands are

entered:

--> pixfirewall(config)# sla monitor 20

--> pixfirewall (config-sla-monitor)# type echo protocol ipIcmpEcho 192.168.1.1 interface outside

--> pixfirewall (config-sla-monitor)# exit

--> pixfirewall(config)# sla monitor schedule 20 life forever start-time now

--> pixfirewall(config)# track 200 rtr 20 reachability

--> pixfirewall(config)# route outside 0 0 192.168.1.1 1 track 200

--> pixfirewall(config)# route failback 0 0 192.168.2.1 100

When it is detected that route via 192.168.1.1 has failed, route with higher metric will takeover.

Let me know if you have any questions on this.

Regards,

Vibhor,

Hi Vibhor..

i have 2 queries...

1. will this also work for VPN redundancy...i.e once the primary isp goes down..the site to site vpn's should be established with the other ISP address...I know that we might have to clear the SA manually but can we decrease the timeout or the lifetime so that it automatically clears the SA...

2. I have configured ISP redundancy at one site and the problem that i faced is that If ?Redundancy Link? goes down then ?Primary Link? does not come up automatically, then we need to remove the static route of Primary Link and add it again and after that internet start working, but again for Site to SIte VPN tunnel we need to clear crypto isakmp entry and then only the VPN Tunnel establish. Please let me know if you have any inputs..

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 1.1.1.1 255.255.255.240 standby 1.1.1.2

interface GigabitEthernet0/3

nameif backup

security-level 0

ip address 2.2.2.2 255.255.255.224 standby 2.2.2.3

route outside 0.0.0.0 0.0.0.0 1.1.1.100 1 track 1

route backup 0.0.0.0 0.0.0.0 2.2.2.100 254

sla monitor 123

type echo protocol ipIcmpEcho 10.10.10.1 interface outside

num-packets 3

frequency 10

sla monitor schedule 123 life forever start-time now

track 1 rtr 123 reachability

crypto map outside_map interface outside

crypto map outside_map interface backup

Please note :IP addresses have been changed.

regards

Zubair

For VPNs, need to clear the SAs.

Regarding route not being reinstalled, if the configuration is correct, then this should be due to a bug.

hi vibhor i couldn;t really understand the routes u have put on the pix.

route ISP1 128.0.0.0 128.0.0.0 1.1.1.1

in this route where ISP1 is the exit interface 128.0.0.0 is the destination network. could u pls tell why have u choose this as the destination. and i am really confused abt the subnet masks also. i guess the turned on bits in the subnet mask only represent the bits that are used.

and why will the first route create a default route .

as we are connecting to the isp for the internet.

i am really not getting this can u pls explain.

waiting for ur reply.

regards

sebastan

Did anybody ever solve this problem?

sebastan,

Vibhor divied internet into two parts.

One part is going though ISP1 and another though ISP2.

route ISP2 128.0.0.0 128.0.0.0 2.2.2.2

route ISP1 0.0.0.0 128.0.0.0 1.1.1.1