ASA 5510 not pinging out backup interface (trying to setup failover through SLA)

bhirschtick · ‎05-08-2014

I am trying to setup failover via SLA monitoring and I am having an issue with the backup interface. I have a Cisco ASA 5510 that has 2 ISPs on an outside interface and a backup interface. The outside interface can ping successfully to a public IP (8.8.8.8) however the backup interface cannot ping to any public IP however it can ping to the gateway. I have plugged in my laptop directly to the gateway and supplied it with the same IP address as the ASA backup interface, this was able to ping to public IPs.

I have tried the following configurations to troubleshoot the issue:

-ICMP permit any backup echo

-ICMP permit any backup echo-reply

-access-list 101 extended permit icmp any any echo

-access-list 101 extended permit icmp any any echo-reply

-I have also removed any ACL from the interface

-I created a new ACL with permits everything

NONE of these worked.

Below is the ASA 5510 firewall configuration:

ASA Version 8.2(5)

!

interface Ethernet0/0
nameif inside
security-level 100
ip address ZZ.ZZZ.ZZ.ZZZ 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address XX.XXX.XX.XX 255.0.0.0
!
interface Ethernet0/2
nameif backup
security-level 0
ip address YY.YY.YYY.YYY 255.255.255.248
!
interface Ethernet0/3
nameif Voice
security-level 100
ip address 10.1.10.1 255.255.255.0
!

boot system disk0:/asa825-k8.bin

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

access-list 101 extended permit tcp 64.18.0.0 255.255.240.0 interface backup eq smtp
access-list 101 extended permit ip 38.98.142.0 255.255.255.192 any
access-list 101 extended permit tcp any interface backup eq 3389
access-list 101 extended permit tcp any interface backup eq www
access-list 101 extended permit tcp any interface backup eq pop3
access-list 101 extended permit ip 10.1.10.0 255.255.255.0 10.2.10.0 255.255.255.0
access-list 101 extended permit tcp 74.217.1.192 255.255.255.192 any eq 3389
access-list 101 extended permit ip interface backup host 8.8.8.8

access-list 102 extended permit ip any any

access-list outside_cryptomap_20 extended permit ip 192.168.24.0 255.255.255.0 192.168.25.0 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 10.1.10.0 255.255.255.0 10.2.10.0 255.255.255.0

access-list to-voice extended permit ip any any

access-list 105 extended permit ip 10.2.10.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list DC extended permit ip 192.168.24.0 255.255.255.0 10.168.24.0 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 60
global (inside) 1 interface
global (outside) 1 interface
global (backup) 1 interface

static (inside,backup) tcp interface www 192.168.24.4 www netmask 255.255.255.255
static (inside,backup) tcp interface pop3 192.168.24.4 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface pop3 192.168.24.5 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.24.230 www netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.24.230 smtp netmask 255.255.255.255
static (inside,backup) tcp interface smtp 192.168.24.230 smtp netmask 255.255.255.255
static (inside,backup) tcp interface 3389 192.168.24.4 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.24.5 3389 netmask 255.255.255.255
static (inside,outside) 216.90.254.3 192.168.24.70 netmask 255.255.255.255
static (inside,Voice) 192.168.24.0 192.168.24.0 netmask 255.255.255.0
static (inside,outside) 38.102.48.165 192.168.24.215 netmask 255.255.255.255
static (inside,outside) 38.102.48.166 192.168.24.212 netmask 255.255.255.255
static (inside,backup) 12.23.172.235 192.168.24.70 netmask 255.255.255.255

access-group 100 in interface outside
access-group 101 in interface backup

route outside 0.0.0.0 0.0.0.0 XX.XXX.XX.XX 1 track 1

route backup 0.0.0.0 0.0.0.0 YY.YY.YYY.YYY 254

sla monitor 123
type echo protocol ipIcmpEcho 8.8.8.8 interface outside
num-packets 6
frequency 10
sla monitor schedule 123 life forever start-time now

track 1 rtr 123 reachability

class-map inspection_default
match default-inspection-traffic
class-map Voice-OUT
match access-list 105
class-map Voice-IN
match access-list 100
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 1024
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
policy-map Voicepolicy
class Voice-IN
class Voice-OUT
priority
!
service-policy global_policy global
service-policy Voicepolicy interface outside
service-policy Voicepolicy interface backup
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:2cafbdd9066cce7e9ed72359c55de19c
: end

HERE IS THE GATEWAY CONFIG:

!This configuration has had sensitive information
! scrubbed out. Please report any flaws to:
! dl-att-action@ems.att.com

!
!
!
!
version 15.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime
service password-encryption
!
hostname USMELTSCHIL02R
!
boot-start-marker
boot system SCRUBBED
boot-end-marker
!
!
card type t1 1 1
logging buffered 32000
no logging console
enable secret 5 SCRUBBED
!
aaa new-model
!
!
aaa group server radius h323
server SCRUBBED auth-port 1812 acct-port 1813
server SCRUBBED auth-port 1826 acct-port 1827
!
aaa authentication login default group tacacs+ line
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting connection h323 stop-only group radius group h323
aaa accounting system default start-stop group tacacs+
!
!
!
!
!
aaa session-id common
clock timezone GMT 0 0
!
network-clock-participate slot 1
no ipv6 cef
no ip source-route
!
!
!
no ip mfib
!
!
no ip domain lookup
ip cef
multilink bundle-name authenticated
!
!
!
!
isdn switch-type primary-ni
!
!
key SCRUBBED
key SCRUBBED
key-string SCRUBBED
crypto pki token default removal timeout 0
!
!
voice-card 0
dspfarm
dsp services dspfarm
!
voice-card 1
dspfarm
dsp services dspfarm
!
!
!
voice service voip
fax protocol t38 version 0 ls-redundancy 1 hs-redundancy 0 fallback pass-through g711ulaw
sip
bind control source-interface Loopback0
bind media source-interface Loopback0
min-se 900 session-expires 900
asserted-id pai
privacy pstn
!
voice class codec 1
codec preference 1 g729br8
codec preference 2 g729r8
codec preference 3 g711ulaw
!
!
!
voice vad-time 65536
!
!
!
license udi pid C3900-SPE250/K9 sn SCRUBBED
!
!
hw-module pvdm 0/0
!
hw-module pvdm 0/1
!
dial-control-mib retain-timer 10080
!
redundancy
!
!
controller T1 1/0
clock source internal
pri-group timeslots 1-24
description att-unman
!
controller T1 1/1
shutdown
pri-group timeslots 1-24
description att-unman
!
ip telnet source-interface Loopback0
ip tftp source-interface Loopback0
ip ssh version 2
!
class-map match-any NMC_RP
description Traffic due to dynamic routing (BGP)
match access-group 178
class-map match-any NMC_SNMP
description Network Management traffic
match access-group 180
class-map match-any NMC
description BGP + SNMP traffic
match access-group 178
match access-group 180
class-map match-all COS3_SAA
description COS1 SAA traffic
match ip dscp af21
match access-group 179
class-map match-all COS2_SAA
description COS1 SAA traffic
match ip dscp af31
match access-group 179
class-map match-all COS1_SAA
description COS1 SAA traffic
match ip dscp ef
match access-group 179
class-map match-all COS4_SAA
description COS1 SAA traffic
match ip dscp default
match access-group 179
class-map match-any COS4_TRAFFIC
description Best Effort traffic
match access-group 184
class-map match-any COS4
match class-map COS4_SAA
match class-map COS4_TRAFFIC
class-map match-any COS3_TRAFFIC
match access-group 183
class-map match-any COS3
match class-map COS3_SAA
match class-map COS3_TRAFFIC
class-map match-any COS2_TRAFFIC
description COS2 traffic
match access-group 182
class-map match-any COS2
match class-map COS2_SAA
match class-map COS2_TRAFFIC
class-map match-any COS1_TRAFFIC
description Real-Time traffic
match access-group 181
match access-group 185
match ip dscp ef
class-map match-any COS1
match class-map COS1_SAA
match class-map COS1_TRAFFIC
class-map match-any COS3_NONCONF
match ip dscp af22
class-map match-any COS2_NONCONF
match ip dscp af32
!
!
policy-map NMC_CLASSIFICATION
class NMC_RP
police cir 16000 bc 8000 be 8000
conform-action set-dscp-transmit cs6
exceed-action set-dscp-transmit cs6
class NMC_SNMP
police cir 16000 bc 8000 be 8000
conform-action set-dscp-transmit af21
exceed-action set-dscp-transmit af21
policy-map COS4_CLASSIFICATION
class COS4_TRAFFIC
police cir 1979500 bc 247450 be 247450
conform-action set-dscp-transmit default
exceed-action set-dscp-transmit default
policy-map COS1_CLASSIFICATION
class COS1_TRAFFIC
police cir 17816000 bc 2227050 be 2227050
conform-action set-dscp-transmit ef
exceed-action drop
policy-map CE_EGRESS_QUEUING
class NMC
bandwidth remaining percent 10
random-detect dscp-based
random-detect dscp 18 200 300 10
random-detect dscp 48 200 300 10
service-policy NMC_CLASSIFICATION
class COS1
priority
queue-limit 4096 packets
service-policy COS1_CLASSIFICATION
class COS4
bandwidth remaining percent 89
random-detect dscp-based
random-detect exponential-weighting-constant 1
random-detect dscp 0 100 200 10
service-policy COS4_CLASSIFICATION
policy-map EA_EGRESS_QUEUING
class class-default
shape average 19796000
service-policy CE_EGRESS_QUEUING

!
!
!
!
!
interface Loopback0
ip address 12.67.31.44 255.255.255.255
!
interface GigabitEthernet0/0
description connection to customer LAN
ip address 12.23.172.233 255.255.255.248
no ip redirects
duplex auto
speed auto
media-type rj45
no cdp enable
!
interface GigabitEthernet0/1
description connection to CBB DHEC.111111
ip address 12.251.126.206 255.255.255.252
ip access-group inb-serial in
no ip redirects
no ip unreachables
no ip proxy-arp
duplex full
speed 100
no cdp enable
service-policy output EA_EGRESS_QUEUING

!
!!
ip route 0.0.0.0 0.0.0.0 12.251.126.205
ip tacacs source-interface Loopback0
!
ip access-list extended inb-serial
permit icmp any 12.23.172.232 0.0.0.7
deny ip 127.0.0.0 0.255.255.255 any
permit udp any host 12.67.31.44 range 16384 32768
permit udp 12.194.0.0 0.0.255.255 host 12.67.31.44 gt 1023
permit tcp 12.194.0.0 0.0.255.255 host 12.67.31.44 gt 1023
permit udp any eq domain host 12.67.31.44 gt 1023
deny udp any any eq 5060
deny tcp any any eq 5060
permit ip SCRUBBED 0.0.0.7 any
permit ip SCRUBBED 0.0.0.15 any
permit ip SCRUBBED 0.0.0.15 any
permit ip SCRUBBED 0.0.0.127 any
permit ip 12.38.8.128 0.0.0.127 any
deny udp any any eq snmp
deny udp any any eq snmptrap
permit ip SCRUBBED 0.0.0.255 any
permit ip SCRUBBED 0.0.0.255 any
permit ip SCRUBBED 0.0.0.255 any
permit ip SCRUBBED 0.0.0.252 any
permit icmp any host 12.67.31.44
permit icmp any host 12.23.172.233
permit ip 135.45.105.0 0.0.0.255 any
deny ip any host 12.23.172.233
deny ip 12.23.172.232 0.0.0.7 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
permit ip any 12.23.172.232 0.0.0.7
permit tcp any any eq bgp
!
ip radius source-interface Loopback0
ip sla key-chain probe-key
logging source-interface Loopback0
logging SCRUBBED
logging SCRUBBED
access-list 5 permit 12.38.8.226
access-list 7 deny any
access-list 84 deny any
access-list 178 remark BGP Traffic (NMC_RP)
access-list 178 permit tcp any eq bgp any
access-list 178 permit tcp any any eq bgp
access-list 179 remark SAA Traffic (Delay & Jitter)
access-list 179 permit icmp host YY.YY.YYY.YY any echo
access-list 179 permit udp host YY.YY.YYY.YY any eq 1967
access-list 179 permit udp host YY.YY.YYY.YY any eq 16181
access-list 179 permit udp host YY.YY.YYY.YY eq 16181 any
access-list 181 remark COS1 Traffic (Real-Time)
access-list 181 permit udp host 12.67.31.44 any range 16384 32767

no cdp run
nls resp-timeout 1
cpd cr-id 1

cadet alain · ‎05-08-2014

Hi,

This is normal behavior as the second static route( the floating one pointing out backup) is not installed as long as first one is in the routing table.So it shouldn't appear in sh route output but as soon as outside interface goes down then backup default route will get installed and you'll be able to ping 8.8.8.8 from it.

Regards

Alain

Don't forget to rate helpful posts.

bhirschtick · ‎05-08-2014

I have used the commande "ping backup 8.8.8.8" which to my knowledge initiates the ping from the backup interface. Would this still work regardless of the active route?

cadet alain · ‎05-08-2014

Hi,

No, the ASA needs a route for the destination and the only route in the routing table that matches 8.8.8.8 is the default route on the outside interface.

Regards

Alain

Don't forget to rate helpful posts.

bhirschtick · ‎05-12-2014

I was just checking, but even when we had it as the primary route, it still would not ping.