Solved: Re: PBR on Cisco ASA - Page 2

Pounii · ‎11-17-2022

Hi everyone,

I'm a newbie here so probably I'm missing something.

I got from my work an old ASA 5515-x, to use for personal purpose at home and (why not?) to start learning something new. I have 2 ISP, one wired (7 Mb in down, 0,3 Mb in up) and the other is a 4g connection. My target here is to use the 4g connection like the default one, and use the wired just for game connections. The best way to handle this is to use a PBR and ACL to change route just when the connection is in some ports ranges. I was able to do that, the strange fact is that when I simulate to lost the game connection (both case, router unreachable and router up, but line down), ASA doesn't swap the traffic flow to the default route, or better, it do it just if I close the game and start it again, otherwise all the traffic are dropped. I don't think this is normal ( in a work enviorment will be unacceptable for sure). In order to track the reachability of the route map I used the command below:



sla monitor 1
type echo protocol ipIcmpEcho 192.168.1.1 interface outside2 <--- the connection game 
sla monitor schedule 1 life forever start-time now

I checked it and is working fine, then I linked to a track used in the route-map


track 100 rtr 1 reachability

route-map Games permit 10
match ip address Games
set ip next-hop verify-availability 192.168.1.1 1 track 100

When I simulate the connection drop, I can see with

 show route-map

that it recognise the route is down. I set up also the default route

route outside1 0.0.0.0 0.0.0.0 192.168.8.1 1

Attached the config file

Pounii · ‎11-20-2022

sure! I used this

type echo protocol ipIcmpEcho 192.168.1.1 interface outside2

do you want to check my config file?

MHM Cisco World · ‎11-20-2022

Sure share config i will check it

Pounii · ‎11-20-2022

ok in this config i just track the router and the track is working ( so no route need obviously for it), but the main issue here is that the udp tracffic doesn't swap when the router come back up.

Pounii · ‎11-23-2022

did you note something different from your config?

Pounii · ‎11-25-2022

testing and testing again I noted a HUGE strange thing: the exactly same command to make a sla monitor sent throught ssh (using putty) and ASDM has difference. If I use ssh the sla monitor doesn't work. Not in all case, but just in someone... to test it, I enabled the "previewe command" in ASDM, copy the command and use it into ssh. I just note that in ssh the command is too long for stay all visible but the console accept it so I assume is good and not cutted out... infact i can show the sla set up in operational state, but not working!!! ( destination unreachable). This is not the cause of my issue but still important to note.

MHM Cisco World · ‎11-25-2022

I will do test after I get idea what happened and sure I will update you.

MHM Cisco World · ‎11-26-2022

I have time and do lab today and result as we want,
the traffic shift from R1 to R2 and return to R1.

route OUT2 0.0.0.0 0.0.0.0 <ISP2>
route OUT1 8.8.8.8 255.255.255.255 <ISP1>
!
sla monitor 100
tpye echo protocol ipecho 8.8.8.8 interface OUT1
!
track 100 rtr 100 reachability
!
route-map MHM permit 10
match ip add 100
set ip next-hop verify <ISP1> track 100
!
interface LAN
policy-route route-map MHM

that my config and it work.

Pounii · ‎12-04-2022

sorry for the late reply. So I have test al lthe same we said before and was fine, just because it's working with another application (discord), but not with the game client (LoL client)... the only way i found to let him swap to the 4G connection is to removing the ADSL from the static route and let him just in the route-map... in this way I cannot track the 8.8.8.8 trhought that, but it's swap if I shut down the interface that is relative to the ISP ( obviously is not ok, just for test). I'm very surpized that it working differently from an application to another (same rule, just one routemap!). It's like the application download a sort of colpy of the route table or it just knows something more than discord (wrong) that he shouldn't know. Sorry about that, I never imagined that it could depend on the application

mikefoe01 · ‎05-17-2023

It sounds like you're encountering an issue where your ASA 5515-x isn't swapping traffic flow to the default route when the game connection becomes unavailable. This could be due to a number of reasons, but it sounds like you've already taken some steps to track the reachability of the route map by using the `sla monitor` command and linking it to a track used in the route map.

One possible solution could be to adjust the SLA (Service Level Agreement) monitor frequency to ensure that the track updates more frequently when the game connection becomes unavailable. You may want to try reducing the `life` parameter from `forever` to a specific value, such as `10 seconds`, to see if that improves the situation.

Another option could be to check your access control lists (ACLs) to ensure that they're properly configured to route traffic through the desired ports. You may want to review your ACLs to see if they're blocking traffic or not properly forwarding it through the desired traffic paths.

It's also possible that there's an issue with the routing table configuration itself. You may want to review your routing table to ensure that it's properly configured with the correct paths and priorities.

Since network troubleshooting can be complex and time-consuming, the user may want to engage with a network specialist or search for additional online resources to help resolve this issue and improve their network connection for playing games with their favorite characters.