Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1056
Views
15
Helpful
7
Replies

Assistance with automatic fail-over route

Go to solution
ssuttle1
Level 1
Level 1

‎04-01-2020 01:07 PM

I need some assistance configuring an automatic failover/backup route.  My network has a primary ISP that connects to an ASA at one location and a backup ISP that connects to another ASA at a different location.  Currently, if our primary ISP link goes down we have to manually change a static route on two layer-3 core switches to point to the secondary ASA/ISP.  I would like to configure it to failover to the secondary automatically and failback when the primary comes back up.  Any guidance is appreciated.

 

Thanks,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions
7 Replies 7

Go to solution
Georg Pauwen
VIP
VIP

‎04-01-2020 02:08 PM

Hello,

 

have a look at the document below:

 

Configure the ASA for Redundant or Backup ISP Links

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118962-configure-asa-00.html

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎04-02-2020 12:10 AM

Hi,

   

   If you want a functional solution and not just some opinions, attach a diagram, even hand made and picture it, specifying the layer 3 devices (edge/core), the IP interconnects, what kind of static/dynamic routing you run where (internal routing in your network and external routing towards your ISP).

 

Regards,

Cristian Matei.

Go to solution
ssuttle1
Level 1
Level 1
In response to Cristian Matei

‎04-03-2020 06:36 AM

Here's a diagram of the edge.  I have multiple LANs behind both multilayer switches.  To manually failover/back I SSH into each C3650 and change the static route. (ip route 0.0.0.0 0.0.0.0 LIBASA (primary ISP Connection)) (ip route 0.0.0.0 0.0.0.0 PD-ASA (backup ISP connection)).  

Preview file
33 KB
0 Helpful

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni
In response to ssuttle1

‎04-03-2020 06:52 AM

Hi,

 

   Is dynamic routing between your switches and ASA's an option? Do you run any routing protocol currently?

 

Regards,

Cristian Matei.

0 Helpful

Go to solution
ssuttle1
Level 1
Level 1
In response to Cristian Matei

‎04-03-2020 09:25 AM

Currently, we have a mix of Static routes and EIGRP.

0 Helpful

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni
In response to ssuttle1

‎04-04-2020 05:33 AM

Hi,

   

     You could run EIGRP up to the two ASA's; on the ASA's sun EIGRP only on the inside interface. Configure default route on both ASA's, with tracking (in order to be redistributed via EIGRP only if the next-hop is reachable), and redistribute the default route into EIGRP on both ASA's, with a better metric from the ASA that you want to be preferred for Internet exit.

 

sla monitor 100

 type echo protocol ipIcmpEcho 2.2.2.254 interface outside

 num-packets 3

 frequency 10

!

sla monitor schedule 100 life forever start-time now

track 1 rtr 100 reachability

route outside 0.0.0.0 0.0.0.0 203.0.113.2 1 track 1

!

prefix-list DEFAULT_ROUTE permit 0.0.0.0/0

route-map DEFAULT_ROUTE permit 10

 match ip address prefix DEFAULT_ROUTE

 set metric xx xx xx xx xx

!

router eigrp 100

 redistribute static route-map DEFAULT_ROUTE

 

Regards,

Cristian Matei.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card