Re: secondary default route

ohareka70 · ‎10-29-2020

Hello,

I have a site to site VPN from my cisco asa’s to another customer - it works fine and both tunnels can ping the remote IP address

I have routing to the customer subnets from my internal Layer 3 switch

sw1-Layer3#ip route 10.108.x.x 255.255.255.128 172.66.1.200 (firewall interface)

I have a second firewall plugged in for redundancy sourced from a second layer 3 switch

sw2-Layer3#ip route 10.108.x.x 255.255.255.128 172.77.1.300 (firewall interface)

Is it possible to route the traffic via the second firewall 172.77.1.300 if the first firewall is 172.66.1.200 offline. I still have access to the second firewall via a different switch.

i.e can i have a secondary preferred route or would i have to think about a route map

Regards,

Kevin

Georg Pauwen · ‎10-29-2020

Hello,

how are both layer 3 switches connected ? Your options include IP SLA, HSRP, VRRP, or some sort of EEM script to trigger the failover. Post a schematic drawing of your topology that shows how everything is connected.

ohareka70 · ‎10-30-2020

Both Layer 3 switches are connected and i have routing between the two links (no issues at all). They in separate datacentres. What is have is two seperate site to site VPNs routing to the same subnet and it works. I have a server on sw1-Layer3 and when the sw1-Layer3 vpn is off that server can no longer ping the external IPs. So i was thinking could i get it to ping the external IP via 172.77.1.300 as a backup route.

ip route 10.108.x.x 255.255.255.128 172.66.1.200

ip route 10.108.x.x 255.255.255.128 172.77.1.300 secondary

is this possible

MHM Cisco World · ‎10-29-2020

Failover asa with two context solve your issue.

No need any hsrp,

The context in fw1 will active for this subnet the context in fw2 will active for other subnet.