Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
336
Views
0
Helpful
2
Replies

Tying a Route to Multiple Tracked Addresses. Possible?

Go to solution
benweber
Level 1
Level 1

‎12-22-2016 06:32 AM - edited ‎03-05-2019 07:43 AM

I’m wondering if anyone knows of a way to do this: I have a customer’s ASA firewall that has two ISP connections; a primary and a backup. I have the default gateway tied to an SLA track that monitors the 8.8.8.8 address, keeping the gateway pointed to the primary ISP if that address responds and failing to the backup if it fails. (Pretty standard tracked object route failover.)

The problem I had yesterday is that something happened on the local ISP’s backbone that black holed that specific 8.8.8.8 address. I got around it temporarily by shifting to the 8.8.4.4 address, which was responding.

So failover worked as it should have, but the result was that for a few hours they were running on their slower backup link, despite the fact that the primary was actually working. Not great for a retailer on December 21st.

Does anyone know of a way to do this where the firewall would track say 2 or 3 different addresses and only lose the route if all of them failed? Something like a track pool where you put all tracked objects in the pool and they all have to fail before the pool fails?

Thanks,

Ben

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Amit Goyal
Level 1
Level 1

‎12-23-2016 06:19 AM

Hi Ben,

I know this mechanism is available on Cisco routers. See link below.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/sweot.html

But I think same doesn't work in case of ASA. Probably you may try using EEM script by which you can track one object (let say x) and if that fails, bring in another object (say y) via EEM script based on the trigger generated by failure of x.

I found below thread talking about same requirement with different approach.

https://supportforums.cisco.com/discussion/10811751/asa-sla-tracking-w-multiple-icmp-checks

please rate if my answer helped.

HTH

-Amit

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Amit Goyal
Level 1
Level 1

‎12-23-2016 06:19 AM

Hi Ben,

I know this mechanism is available on Cisco routers. See link below.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/sweot.html

But I think same doesn't work in case of ASA. Probably you may try using EEM script by which you can track one object (let say x) and if that fails, bring in another object (say y) via EEM script based on the trigger generated by failure of x.

I found below thread talking about same requirement with different approach.

https://supportforums.cisco.com/discussion/10811751/asa-sla-tracking-w-multiple-icmp-checks

please rate if my answer helped.

HTH

-Amit

0 Helpful

Go to solution
benweber
Level 1
Level 1

‎12-23-2016 10:09 AM

Thanks Amit,

Those are both interesting.  One of the sites where I want to do this has a Cisco core switch.  So I may set up the track there with the Boolean or statement and then tie a pair of EEM scripts to that, scripts that will enable/disable a loopback interface if that track changes state.  Then I can have the ASA track the IP of that loopback interface accomplishing the same thing.

And the idea of splitting the default route in two listed in the other thread is interesting too.  Seems a bit clugy but should work fine.

Ben

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card