Showing results for 
Search instead for 
Did you mean: 

Routing for ASA - Make directly connected interface go down


Hey Gurus,


I need some help on how I can perform this.
I have problem in figuring out how to apply the IP SLA tracking to bring a direct interface connect down.

My diagram will be like this                                         

ASA FW <--A--> SW <--B--> SW <--C--> 3rd Party Contractor Internal FW (Connection via direct connected interface)
    |                                                                             |
My network External Firewall <----> Internet <--> 3rd Party Contractor External Firewall (Connection via IPSEC Tunnel)


There is a direct cross-connect with a 3rd-party contractor with our end of IP being and the contractor end being
In case the direct connect goes down (maybe a break at point B), the traffic will then be transferred to the IPSEC tunnel.
On the ASA, I do this by putting a static route toward the external firewall.
However as the /26 route is a direct connected interface, I need to configure an IPSLA, monitoring a specific IP (lets say pinging with the source-ip of
If there is a break at Point  B, the ping will fail but the million dollar question, is there a way to make a direct connected interface goes down if an ipsla monitoring fail???

Thank you.

10 Replies 10


Forgot to mention that this will be done in a context mode, thank you

Deepak Kumar


Configure IP SLA and Track with EEM script will resolve your issue as:


ip sla 2

icmp-echo source-ip

threshold 300

timeout 600

frequency 2

ip sla schedule 2 life forever start-time now


track 2 ip sla 2 reachability



event manager applet Interface-Down

event syslog pattern "%TRACK-6-STATE: 2 ip sla 2 reachability Up -> Down"

action 1.0 cli command "enable"

action 1.5 cli command "configure terminal"

action 1.6 cli command "interface Gix/x"

action 2.0 cli command "shut"


Make sure your Buffered logging is getting proper logs from the IP SLA and Track. 


Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Hi Deepak,

I will give this a shot and let you know how it goes.
I did have a read in the forum that says that in context mode, some of the commands that you listed is not working.
But I will give it a try.


paul driver
VIP Expert VIP Expert
VIP Expert

You could use conditional default static routes towards the FW which can be accomplished as you mention incorporating by ipsla tracking, this way you shouldn’t have to physically bring any interface down if you desire just losing ip connectivity or reachability would be applicable

ip sla 1
icmp-echo source-ip
ip sla schedule 1 life forever start-time now
track 10 ip sla 1 reachability

ip route <primary FW next-hop> track 10
ip route <backup next-hop> 200

Note: The above is just an example on conditional static routing it all depends on how you are performing the routing at present, Can you elaborate on this part?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards

Hi Paul,


Dont think the static routes will work because a directly connected routes will always win (AD of 0).
The interface on the ASA is of
Traffic towards the 3rd party contractor (within ip ranges) will always be going via that interface if the interface is up.
As the connection is not a direct connection (i.e. direct from ASA firewall to the 3rd party contractor firewall), and it goes through few switches in the path, there is no way to tell if the link is down if a connection between these switches is severed.
Hence the reason that IPSLA is needed, but also the interface will need to go down to then force the traffic to go via the static route going out to my external firewall.
Thank you for your response.
Hope this explains.

MHM Cisco World
VIP Mentor VIP Mentor
VIP Mentor

If i full understand your request then,

You need pbr with next hop reachibilty.

This make pbr check next hop if fialed then use another path.

Hi MHM Cisco World,


PBR will be a valid solution if there was a next hop in the equation.
However, traffic between us and the 3rd Party contractor will reside in the ip address range.
His FW ( IP) will assume the IP address of other IPs within the range (e.g., etc) and hence currently there is no static route involved.
I may be wrong, but in this case, I do not think PBR will work either, because there is no "next-hop".
Thanks for the response.

FYI you must have a default route for external traffic so where does this reside?

A picture tells a thousand words - post a topology diagram it will be much easier to understand your actual physical connections between your routed wan interface in relation you your isp rtr and what you want to achieve.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards

As my friend suggest, please draw the topology it easy to understand.


Hi Paul/MHM,


This has nothing to do with default route.
The route that I am concern with is

Attached is the topology, if there is a break in connectivity between the switches (represented by the red arrow), the interface that is connecting to the ASA will still be up.
How do I make the interface (represented by blue) to go down to force the traffic towards to go via the VPN tunnel.
Thank you.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers