Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1892
Views
0
Helpful
6
Replies

ASA default route with tracking

jlmickens
Level 1
Level 1

‎01-13-2011 08:34 AM - edited ‎02-21-2020 04:13 AM

I'm working with a VPN link as a backup  scenario in my lab. (See here for details.)  I've got just about everything working.  When the main link  drops, the traffic reroutes to the VPN over the ASA and everything  works great.  The one last issue I'm having now is that I can't access  the ASA directly from the HQ side. I need to be able to access these  devices once they are in the field.

I  believe this is due to the default route being the outside interface.   When the main link is up and working, the traffic would have to route to the  inside interface instead of the outside.  As such, I'm trying to set up a  default route with a monitor.  The IP address I'm monitoring would only  be accessible when the main link is up, via the inside interface  (10.99.0.101 in the diagram above).  When I try to add the monitored  default route, I get:

(config)# route inside 0 0 10.107.0.1 track 101
ERROR: Cannot add route entry, conflict with existing routes

According  to the documentation, this should be doable.  I should be able to have  up to three default routes.  The only other default route is out the  outside interface and is obtained via DHCP.  A show route reveals:

C    24.53.128.0 255.255.224.0 is directly connected, outside
S    10.107.0.0 255.255.0.0 [1/0] via 10.107.0.1, inside
C    10.107.0.0 255.255.255.0 is directly connected, inside
S    10.99.0.0 255.255.255.0 [1/0] via 10.107.0.1, inside
d*   0.0.0.0 0.0.0.0 [1/0] via 24.53.128.1, outside

How can I get this set up so that the default route is inside when 10.99.0.101 is available and outside when it is not?

(ASA 5505 v8.3(2))

0 Helpful
6 Replies 6

cheungwaitim
Level 1
Level 1

‎01-13-2011 07:27 PM

Hi,

Take a look attached link, you can try add route accordingly.

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Tim

0 Helpful

jlmickens
Level 1
Level 1
In response to cheungwaitim

‎01-14-2011 05:26 AM

I don't have access to that link.

0 Helpful

Panos Kampanakis
Cisco Employee
Cisco Employee

‎01-14-2011 11:09 AM

That is interesting.

If you track an outside ip address it all works right?

Can you open a case for this, we might need to fix it.

PK

0 Helpful

jlmickens
Level 1
Level 1
In response to Panos Kampanakis

‎01-14-2011 01:11 PM

I haven't tried tracking an outside ip address.  I don't even set the default route in the config - it is set to obtain it from the DCHP server on the outside interface. I suppose I could try it on the outside interface as well.

The track commands themselves work fine as far as defining the ip to track, etc.  I can see the connections being made for the pings to the ip address.  It's just when I try to add the route that it fails.

I will probably not have time to mess with this until Monday.

0 Helpful

jlmickens
Level 1
Level 1
In response to jlmickens

‎01-18-2011 07:28 AM

In trying to add a tracked route to the outside, it worked.  By default, the metric is 128 when you add it like that.  That got me to thinking - I was trying to add it with a metric of 1, so I checked the DCHP settings, and it was also set to a metric of 1.  So, even though the documentation says you can have up to three default routes, apparently the key is that they can not have the same metric.  Once I changed the metric of the DHCP default route to 10, I was able to add the inside default route with tracking at a metric of 1.

0 Helpful

Panos Kampanakis
Cisco Employee
Cisco Employee
In response to jlmickens

‎01-18-2011 07:33 AM

Thank you for updating the community.

PK

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card