Showing results for 
Search instead for 
Did you mean: 

Need help with Router and ASA config for fail over


We have two offices in the US and one in Mexico. Our site in Mexico connects to our headquarters in the US over an AVPN/ MPLS circuit .Mexico has a separate Internet connection through TelMex. There is an ASA 5510 at headquarters and an ASA 5505 in Mexico. We have a fail over VPN set up in the ASAs for times when the MPLS circuit goes down. All Internet traffic in Mexico is supposed to be routed to the TelMex connection. All company traffic is supposed to be routed to the Cisco router. ASA is supposed to be last resort route. We have a fail over VPN set up in the ASAs for times when the MPLS circuit goes down. (Or at least we did until I had someone work on the configuration)  Everything had been working fine for the last 4 years.

Yesterday when the MPLS went down, so did their Internet connection. I realized the Internet traffic is now coming through the MPLs circuit to headquarters and out our ASA. Obviously there is a problem with the configuration. I do not have enough experience to figure this out. I have attached the configs and the routes for both the ASA and the router.

I would really appreciate it if someone coluld help me and tell me what changes to make.

11 Replies 11

Jon Marshall
VIP Community Legend VIP Community Legend
VIP Community Legend

To help you out we are going to need quite a bit more info. Do you know what was being changed ? Can you not just ask the person who made the changes what they did ?

If not we need the following -

1) Can you draw a topology diagram, doesn't have to be a work of art , just enough to show how things are connected up

2) at the Mexico site what sits behind the router and ASA - is it a L2 switch or L3.

3) What is the default-gateway for the clients in the Mexico site ?

4) the configs you have posted, are they just the Mexico end of things ?

those are just the first set of questions but it should be enough to get us going.


We lost power in our complex an hour after I posted this.  I can however answer a few questions today.  I will answer the rest tomorrow.

The switch in Mexico is a linksys L2

The configs I posted are for Mexico only

The defaut gateway is the router X.X.4.120

I did ask him about it but he got very defensive.  I just wanted to know how to fix it.

Message was edited by: Julie Tennyson

Okay, just a quick question before tomorrow.

If the default-gateway is the router then how do you get traffic to go to the ASA for internet ? Does the router route the traffic back out of the same interface the traffic came in on to the ASA or is the ASA reachable via another interface on the router ie. a different interface than the one the clients use as their default-gateway.


The routing table sends only specified subnets out the WAN interface.  The gateway of last resort is 4.5.  So all internet traffic is sent over to the ASA.

I have uploaded a basic drawing of the infrastructure

Apologies, i didn't get the e-mail notification for this thread.

I can't read visio's, can you save it as jpg and repost.



I have a quick look at configs and there is a default-route on the router pointing to the ASA inside interface. So i'm not sure how traffic for internet addresses is getting routed across the MPLS cloud.

Can you provide a traceroute from one of the mexico clients to an internet address and then we can see if it does indeed go to the ASA ?

Also, it really would help if the person who made the changes could tell you what they did or at least what they working on. I appreciate they are getting a bit defensive but then again if they have broken the network they should be answering the questions. If they work for your company then talk to them again and if they are still defensive you may need to talk to either your boss or their boss. If they are external you are paying them to do the work and the last thing they should be doing is breaking your network. You really do need to know what they did.


I am attaching three traces.  the address that you see as the second hop on two of them is the address for the Telmex DSL router connected to the ASA.  So it looks like the router is sending the Internet traffic to the ASA.  Do you think this is a DNS problem?  This line in the router config " dns-server" Is the DNS server in the US.  Can I put a second DNS server in there?  A public one?  That still does not explain the problem with the failover.

Okay. Firstly the DNS. Does your DNS server in the US resolve internet addresses ? If so then you shouldn't need to add another to your mexico router.

If it doesn't though you can add another DNS server and it can be a public DNS server but it does depend how you have DNS up.

However from the traces, at least for 2 of the traces they are going the correct. You intially said internet traffic was going via MPLS But i dont think it is. Also if the MPLS link fails then BGP routes should disappear and then all traffic go via the ASA.

Do you at least know whether the person how made the changes was working on the ASA or the router ?


He was working on the ASA.  When the MPLS circuit went down Mexico could not get find the Internet. They could not get to the DNS server because the circuit was down.  Wouldn't that be a DNS problem?

Yes it would be an issue. The clients would need to be able to get to the DNS server at US site still. But my understanding is that if the MPLS circuit goes down all traffic should go via the ASA. Sounds like he may have modifed the VPN tunnel settings on the ASA so that it does not include the US subnets or at least the subnet in the US that has the DNS server on it.

I'll have another look at the ASA config to see if there is anything obvious going wrong.


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers