Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4066
Views
2
Helpful
25
Replies

inside traffic not routing to backup wan interface when primary down

ctimm
Level 1
Level 1

‎03-07-2023 08:25 AM

This is on an ASA 5516, ASA Version 9.16(3)19

I've configured a backup interface for our backup ISP following this documentation:

Configure the ASA for Redundant or Backup ISP Links - Cisco

The problem is that when the primary is down, traffic from the inside isn't routing through the backup interface.

I have this network object:

object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_any
nat (any,outside) dynamic interface

If I add:

object network obj_any_backup
subnet 0.0.0.0 0.0.0.0
object network obj_any_backup
nat (any,outside-backup) dynamic interface

it isn't routing. The same, if I change the 1st to:

object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_any
nat (any,outside-backup) dynamic interface

this doesn't work either.

Is there something incorrectly configured or am I missing any configuration?

 

Labels:
0 Helpful
25 Replies 25

ctimm
Level 1
Level 1
In response to balaji.bandi

‎03-08-2023 08:10 AM

Not adding twice

First line is what I enter in conf t

Second is the result of trying to add route-lookup where it errs

0 Helpful

Georg Pauwen
VIP
VIP

‎03-07-2023 11:12 PM

Hello,

I have not followed the entire thread, but make sure your config looks like below:

object network obj_any
subnet in.in.in.in 255.255.255.0
!
object network obj_any_backup
subnet in.in.in.in 255.255.255.0
!
object network obj_any
nat (inside,outside) dynamic interface
!
object network obj_any_backup
nat (inside,outside-backup) dynamic interface

interface GigabitEthernet1/1
nameif outside
security-level 0
ip address pri.pri.pri.pri 255.255.255.x
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address in.in.in.in 255.255.255.0
!
interface GigabitEthernet1/3
nameif outside-backup
security-level 0
ip address bak.bak.bak.bak 255.255.255.x
!
route outside 0.0.0.0 0.0.0.0 pri.pri.pri.gw 1 track 1
route outside-backup 0.0.0.0 0.0.0.0 bak.bak.bak.bakgw 254
!
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:30
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
!
sla monitor 123
type echo protocol ipIcmpEcho 1.1.1.1 interface outside
num-packets 3
frequency 10
!
sla monitor schedule 123 life forever start-time now
!
track 1 rtr 123 reachability

0 Helpful

paul driver
VIP
VIP

‎03-07-2023 11:55 PM - edited ‎03-07-2023 11:56 PM

Hello

@ctimm wrote:

object network obj_any
nat (any,outside) dynamic interface route-lookup

nat (any,outside) dynamic interface route-lookup
^

Change your nat statement to specify the inside interface and not any interface, apart from that you CFG looks okay

object network obj_any
nat (inside,outside) dynamic interface route-lookup

nat (inside,backup) dynamic interface route-lookup


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

MHM Cisco World
VIP
VIP

‎03-08-2023 06:08 AM

Lab I run and full success 

Screenshot (356).pngScreenshot (357).pngScreenshot (358).png

0 Helpful

ctimm
Level 1
Level 1

‎03-08-2023 08:16 PM

Unfortunately, no dice on all of the above.

Added note, if I go to an IP address detection site after forcefully failing over, it briefly will load and show the backup interface IP address but then stops.

I'm going to dig into this deeper on the LAN side and see if there may be some wfw rule, something on the switches, or something else on the internal that might be blocking this route.

Just doesn't make sense.

0 Helpful

MHM Cisco World
VIP
VIP
In response to ctimm

‎03-09-2023 07:41 AM

can I see the ASA config ??

0 Helpful

ctimm
Level 1
Level 1
In response to MHM Cisco World

‎03-09-2023 10:19 AM

Just sent you a DM with the code - It's long and didn't want to post openly on this thread

MHM Cisco World
VIP
VIP
In response to ctimm

‎03-09-2023 10:25 AM

I receive it, I will check 

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎03-09-2023 01:06 PM

sla monitor 123
type echo protocol ipIcmpEcho 1.1.1.1 interface outside <<-10.10.10.1 change the IP you ping to this one.
sla monitor schedule 123 life forever start-time now

also please do 
nat (inside,outside-backup) after-auto source dynamic any interface
nat (inside,outside) after-auto source dynamic any interface

remove below NAT
object network obj_any
nat (any,outside) dynamic interface



0 Helpful

ctimm
Level 1
Level 1
In response to MHM Cisco World

‎03-09-2023 07:59 PM

Sorry, still not routing outside with these changes.

I understand the type echo portion and that isn't part of the issue.

I've configured exactly as described, but to force outside-backup, I've used an IP that I know won't respond to requests and mark it as down.

This still doesn't route inside to 0.0.0.0 0.0.0.0

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to ctimm

‎03-10-2023 02:31 AM

I have one point I need to check, I will update soon 

0 Helpful
Customers Also Viewed These Support Documents