Re: Routing for ASA - Make directly connected interface go down

cHrome08 · ‎02-14-2021

Hey Gurus,

I need some help on how I can perform this.
I have problem in figuring out how to apply the IP SLA tracking to bring a direct interface connect down.

My diagram will be like this

10.20.200.1/26 10.20.200.3/26

ASA FW <--A--> SW <--B--> SW <--C--> 3rd Party Contractor Internal FW (Connection via direct connected interface)
| |
My network External Firewall <----> Internet <--> 3rd Party Contractor External Firewall (Connection via IPSEC Tunnel)

There is a direct cross-connect with a 3rd-party contractor with our end of IP being 10.20.200.1/26 and the contractor end being 10.20.200.3/26.
In case the direct connect goes down (maybe a break at point B), the traffic will then be transferred to the IPSEC tunnel.
On the ASA, I do this by putting a static 10.20.200.0/24 route toward the external firewall.
However as the /26 route is a direct connected interface, I need to configure an IPSLA, monitoring a specific IP (lets say pinging 10.20.200.3 with the source-ip of 10.20.200.1).
If there is a break at Point B, the ping will fail but the million dollar question, is there a way to make a direct connected interface goes down if an ipsla monitoring fail???

Thank you.

cHrome08 · ‎02-14-2021

Forgot to mention that this will be done in a context mode, thank you

Deepak Kumar · ‎02-14-2021

Hi,

Configure IP SLA and Track with EEM script will resolve your issue as:

ip sla 2

icmp-echo 10.20.200.3 source-ip 10.20.200.1

threshold 300

timeout 600

frequency 2

ip sla schedule 2 life forever start-time now

!

track 2 ip sla 2 reachability

!

event manager applet Interface-Down

event syslog pattern "%TRACK-6-STATE: 2 ip sla 2 reachability Up -> Down"

action 1.0 cli command "enable"

action 1.5 cli command "configure terminal"

action 1.6 cli command "interface Gix/x"

action 2.0 cli command "shut"

Make sure your Buffered logging is getting proper logs from the IP SLA and Track.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

cHrome08 · ‎02-15-2021

Hi Deepak,

I will give this a shot and let you know how it goes.
I did have a read in the forum that says that in context mode, some of the commands that you listed is not working.
But I will give it a try.
Thanks.

Franco JC · ‎07-06-2023

How do you make sure that these commands are undo once the track gets up?

paul driver · ‎02-15-2021

Hello
You could use conditional default static routes towards the FW which can be accomplished as you mention incorporating by ipsla tracking, this way you shouldn’t have to physically bring any interface down if you desire just losing ip connectivity or reachability would be applicable

ip sla 1
icmp-echo 10.20.200.3 source-ip 10.20.200.1
ip sla schedule 1 life forever start-time now
track 10 ip sla 1 reachability

ip route 0.0.0.0 0.0.0.0 <primary FW next-hop> track 10
ip route 0.0.0.0 0.0.0.0 <backup next-hop> 200

Note: The above is just an example on conditional static routing it all depends on how you are performing the routing at present, Can you elaborate on this part?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

cHrome08 · ‎02-15-2021

Hi Paul,

Dont think the static routes will work because a directly connected routes will always win (AD of 0).
The interface on the ASA is of 10.20.200.1/26.
Traffic towards the 3rd party contractor (within 10.20.200.0/26 ip ranges) will always be going via that interface if the interface is up.
As the connection is not a direct connection (i.e. direct from ASA firewall to the 3rd party contractor firewall), and it goes through few switches in the path, there is no way to tell if the link is down if a connection between these switches is severed.
Hence the reason that IPSLA is needed, but also the interface 10.20.200.1/26 will need to go down to then force the traffic to go via the static route 10.20.200.0/24 going out to my external firewall.
Thank you for your response.
Hope this explains.

MHM Cisco World · ‎02-15-2021

If i full understand your request then,

You need pbr with next hop reachibilty.

This make pbr check next hop if fialed then use another path.

cHrome08 · ‎02-15-2021

Hi MHM Cisco World,

PBR will be a valid solution if there was a next hop in the equation.
However, traffic between us and the 3rd Party contractor will reside in the 10.20.200.0/26 ip address range.
His FW (10.20.200.3 IP) will assume the IP address of other IPs within the range (e.g. 10.20.200.6, 10.20.200.15 etc) and hence currently there is no static route involved.
I may be wrong, but in this case, I do not think PBR will work either, because there is no "next-hop".
Thanks for the response.

paul driver · ‎02-15-2021

Hello
FYI you must have a default route for external traffic so where does this reside?

A picture tells a thousand words - post a topology diagram it will be much easier to understand your actual physical connections between your routed wan interface in relation you your isp rtr and what you want to achieve.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MHM Cisco World · ‎02-15-2021

As my friend suggest, please draw the topology it easy to understand.

cHrome08 · ‎02-15-2021

Hi Paul/MHM,

This has nothing to do with default route.
The route that I am concern with is 10.20.200.0/26.

Attached is the topology, if there is a break in connectivity between the switches (represented by the red arrow), the interface that is connecting to the ASA will still be up.
How do I make the interface (represented by blue) to go down to force the traffic towards 10.20.200.3 to go via the VPN tunnel.
Thank you.