09-17-2016 02:35 PM - edited 03-12-2019 01:17 AM
I am working on setting up an ASA5520 to use the TRACK and SLA MONITOR function to support failover to a backup DSL link. The route injection is showing metric of 1 for the backup link when primary service is restored, even though static route shows metric of 254.
I have the configuration, it works well and routes are going to the right place during normal operations. If I pull the plug on the primary link, all traffic switches over to go out the DSL link as expected. The show route command shows the new default gateway is the DSL connection.
When I put the primary ethernet link back in I can see the arp-cache entry for the primary ISP, and i can ping the ISP's CPE address HOWEVER, the default-gateway route is still going out the DSL link - - even though i can ping the primary next-hop gateway.
The only (convenient and non-intrusive) recovery is to "clear route" in the firewall and then the service goes back out the (much faster) primary link.
Here are some configuration snippets:
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address X.X.X.50 255.255.255.252
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.120.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif DSL
security-level 0
ip address dhcp setroute
route outside 0.0.0.0 0.0.0.0 x.x.x.49 1 track 1
route DSL 0.0.0.0 0.0.0.0 192.168.1.1 254 (Note the metric is 254 here)
sla monitor 1
type echo protocol ipIcmpEcho 142.254.183.169 interface outside (This address is one hop beyond my ISP CPE)
num-packets 2
frequency 5
sla monitor schedule 1 life forever start-time now
track 1 rtr 1 reachability
route outside 0.0.0.0 0.0.0.0 x.x.x.49 1 track 1
route DSL 0.0.0.0 0.0.0.0 192.168.1.1 254
route outside 142.254.183.169 255.255.255.255 x.x.x.49 1
Here's the status of the SLA:
MRW-TR# sh sla monitor operational-state
Entry number: 1
Modification time: 18:41:13.932 UTC Sat Sep 17 2016
Number of Octets Used by this Entry: 1480
Number of operations attempted: 540
Number of operations skipped: 5
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: FALSE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): 1
Latest operation start time: 19:26:33.936 UTC Sat Sep 17 2016
Latest operation return code: OK
RTT Values:
RTTAvg: 1 RTTMin: 1 RTTMax: 1
NumOfRTT: 2 RTTSum: 2 RTTSum2: 2
So this is the routing table when it is all happy:
Gateway of last resort is x.x.x.49 to network 0.0.0.0
C 192.168.120.0 255.255.255.0 is directly connected, inside
C x.x.x.48 255.255.255.252 is directly connected, outside
S 192.168.110.0 255.255.255.0 [1/0] via 192.168.1.1, outside
[1/0] via x.x.x.49, outside
S 142.254.183.169 255.255.255.255 [1/0] via x.x.x.49, outside
S 172.16.110.0 255.255.255.0 [1/0] via 192.168.1.1, outside
[1/0] via x.x.x.49, outside
S 10.1.110.0 255.255.255.0 [1/0] via 192.168.1.1, outside
[1/0] via x.x.x.49, outside
S 10.10.110.0 255.255.255.0 [1/0] via 192.168.1.1, outside
[1/0] via x.x.x.49, outside
C 192.168.1.0 255.255.255.0 is directly connected, DSL
S* 0.0.0.0 0.0.0.0 [1/0] via x.x.x.49, outside
This is the routing table when the primary Ethernet is unplugged and then it is plugged back in (service restored)
Gateway of last resort is 192.168.1.1 to network 0.0.0.0
C 192.168.120.0 255.255.255.0 is directly connected, inside
C x.x.x.48 255.255.255.252 is directly connected, outside
S 192.168.110.0 255.255.255.0 [1/0] via 192.168.1.1, outside
[1/0] via x.x.x.49, outside
S 142.254.183.169 255.255.255.255 [1/0] via x.x.x.49, outside
S 172.16.110.0 255.255.255.0 [1/0] via 192.168.1.1, outside
[1/0] via x.x.x.49, outside
S 10.1.110.0 255.255.255.0 [1/0] via 192.168.1.1, outside
[1/0] via x.x.x.49, outside
S 10.10.110.0 255.255.255.0 [1/0] via 192.168.1.1, outside
[1/0] via x.x.x.49, outside
C 192.168.1.0 255.255.255.0 is directly connected, DSL
S* 0.0.0.0 0.0.0.0 [1/0] via x.x.x.49, outside
My observations
Thanks for your help!
Chris