Solved: EEM w/ IP SLA tracking; Question on icmp target route when primary path down

Dean Romanelli · ‎08-29-2016

Hi All,

I have a layer 3 switch connected to two ASA 5505's: One 5505 goes to primary ISP and the other 5505 to backup ISP. I am using EEM w/ IP SLA tracking in the core switch to control which path is active. Primary ASA is 192.168.201.1, backup ASA is 192.168.201.2. Default route points to one of them depending on SLA status. My SLA responder is 1.1.1.1 and I have a /32 static route telling the core switch "to get to 1.1.1.1, your next hop is 192.168.201.1."

ip sla 1
icmp-echo 1.1.1.1
threshold 1000
timeout 1000
frequency 5
!
track 100 ip sla 1 reachability
!
ip route 1.1.1.1 255.255.255.255 192.168.201.1
ip route 0.0.0.0 0.0.0.0 192.168.201.1
!
event manager applet PRIMARY-CIRCUIT-FAILING-OVER-TO-BACKUP
event syslog pattern "100 ip sla 1 reachability Up->Down"
action 1.0 syslog msg "PRIMARY-CIRCUIT-FAILING-OVER-TO-BACKUP"
action 1.1 cli command "enable"
action 1.2 cli command "configure term"
action 1.3 cli command "no ip route 0.0.0.0 0.0.0.0 192.168.201.1"
action 1.4 cli command "ip route 0.0.0.0 0.0.0.0 192.168.201.2"
action 1.5 cli command "end"

My question: When the primary path is down (201.1), and EEM executes the script to send all traffic to 201.2, the SLA is going to continue checking the status of 1.1.1.1 as expected. I have a /32 specific static route telling the core switch that to get to 1.1.1.1 the next hop is 192.168.201.1, so that SLA check should take that route every time, but there is now also an operational default route with the same AD pointing all traffic to 192.168.201.2 since route via 192.168.201.1 is down.. I know that the more specific static route is supposed to trump the less specific default route, but I need to ensure that the SLA will never try to ping 1.1.1.1 over 192.168.201.2 while the primary route is down.

I've seen some wonky things happen over the years, like floating static routes getting stuck, so it concerns me that this may not work the right way every time if both have identical AD's, regardless of the more specific route rule. Would it be a good idea to just assign a weight to the backup default route (201.2) of 5? That way the static route for the SLA checks will be more specific AND it will have a better AD (Juniper assigns default routes an AD of 5 by default to mitigate this). Thanks all.

Francesco Molino · ‎08-29-2016

Hi

First of all, to answer your question, as you've specified the static route for 1.1.1.1, the router will always try to reach out that IP from 192.168.201.1 and never tries 192.168.201.2.

The 2nd thing I would like to add is in that case, you don't need to use EEM for that. The config without EEM looks like:

ip sla 1
icmp-echo 1.1.1.1
threshold 1000
timeout 1000
frequency 5
!
ip sla monitor schedule 1 life forever start-time now

!

track 100 ip sla 1 reachability

!

ip route 1.1.1.1 255.255.255.255 192.168.201.1
ip route 0.0.0.0 0.0.0.0 192.168.201.1 1 track 100

ip route 0.0.0.0 0.0.0.0 192.168.201.2 10

Hope this answered your question.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎08-29-2016

Hi

First of all, to answer your question, as you've specified the static route for 1.1.1.1, the router will always try to reach out that IP from 192.168.201.1 and never tries 192.168.201.2.

The 2nd thing I would like to add is in that case, you don't need to use EEM for that. The config without EEM looks like:

ip sla 1
icmp-echo 1.1.1.1
threshold 1000
timeout 1000
frequency 5
!
ip sla monitor schedule 1 life forever start-time now

!

track 100 ip sla 1 reachability

!

ip route 1.1.1.1 255.255.255.255 192.168.201.1
ip route 0.0.0.0 0.0.0.0 192.168.201.1 1 track 100

ip route 0.0.0.0 0.0.0.0 192.168.201.2 10

Hope this answered your question.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Dean Romanelli · ‎08-29-2016

Excellent, thanks very much. Wouldn't hurt for me to assign the default route an AD of 5 though for added piece of mind right?

As for the route tracking in place of EEM goes; The config above I posted is a very consolidated version of what I need to do, for brevity's sake in the question. In reality, I have 31 static routes I need to point at either ISP A or ISP B in addition to the default route (the switch doesn't act right). I think tracking 31 different routes is a bit messy, and the switch I have is a 4x switch stack of 3750's all with different license levels (inherited, not my design). Unfortunately the stack is old and has been up for 3+ years, so I am leery of doing anything intrusive that will force me to power cycle the stack. I see EEM as less intrusive than route tracking because I've had issues with losing visibility to sites in the past with route tracking configuring unless I put the tracked route in and remove the old route at exactly the right time in the right sequence. With EEM there is no chance of a visibility loss since the routing is not manipulated unless the SLA drops. But yes, if this were as cut and dry as my example I agree with you, route tracking for sure.

Francesco Molino · ‎08-29-2016

Ok gotcha.

Yes you can use 5 :-)

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Dean Romanelli · ‎08-29-2016

Great, thanks again.