Solved: Failover Between ASA Interfaces

ksbolton1 · ‎11-29-2017

Hello all.

I have remote locations and redundant links from said locations back to my campus via my single ASA. That single ASA has 2 virtual interfaces, 192.168.50.1 and 172.16.50.1.

A remote location has a router which is dual homed with connections to on-premise equipment from two different ISPs. The router has IP addresses 192.168.50.100 (g0/0), and 172.16.50.100 (g0/1). My question is this, how best do I automate the failover between the two links on my router at remote location?

I have been looking at using Embedded Event Manager to look at the router's logs and then enabling/disabling the OSPF network command for the backup link, thereby effectively doing the following:

When the primary link (192.168.50.100) goes down, OSPF network 172.16.50.0... command is run to add the link to the OSPF database so it will be seen as router address for that location.

When the primary link comes back up, the above OSPF command will be reversed thereby removing the link from OSPF database and the router address goes back to being that of the primary link.

Alternative to the OSPF commands is to disable the primary interface when the primary link goes down. I would also enable the backup interface. I have a floating static route pointing to the secondary default gw (172.16.50.1).

Francesco Molino · ‎11-29-2017

Hi

not sure I get everything :-) Let me recap and tell me if I understood good.

You have your remote office with an ASA and 2 WAN interfaces (2 different ISPs). This remote office is directly connected to your HO and using OSPF to exchange routes. You want to have redundancy on remote office (including OSPF peering) when 1 link goes down.

Am I right?

If yes, then you can use EEM as you suggested to enable/disable an interface (in that case, the ospf config can be done already but as interface is down, its subnet or peering won't be UP or advertised over your OSPF cloud).

You can also, instead of EEM, build up all your ospf peering using the 2 links and play with ospf cost to make 1 interface better for path instead of the other and still keep your floating default static route to switch default route from 1 to another interface.

If not, can you share a quick drawing to help understanding what you aim for?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎11-29-2017

Hi

not sure I get everything :-) Let me recap and tell me if I understood good.

You have your remote office with an ASA and 2 WAN interfaces (2 different ISPs). This remote office is directly connected to your HO and using OSPF to exchange routes. You want to have redundancy on remote office (including OSPF peering) when 1 link goes down.

Am I right?

If yes, then you can use EEM as you suggested to enable/disable an interface (in that case, the ospf config can be done already but as interface is down, its subnet or peering won't be UP or advertised over your OSPF cloud).

You can also, instead of EEM, build up all your ospf peering using the 2 links and play with ospf cost to make 1 interface better for path instead of the other and still keep your floating default static route to switch default route from 1 to another interface.

If not, can you share a quick drawing to help understanding what you aim for?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

ksbolton1 · ‎11-29-2017

Thank you for your reply.

Yes, you've almost got it. The ASA is at my HO and the remote location only has a 1941 router. (Internet access is via my HO as well.) Everything else you've said is correct.

I like your alternative to EEM, I'll put both to the test.

Another question, if I were to use the OSPF only option how would the failover from primary to seondary, AND then secondary to primary work?
For instance, I understand I could manipulate the interface BW value on each of the interfaces at my remote location so that OSPF via primary i/f would always have a lower cost than OSPF via the secondary i/f.
So, let's say my primary goes down and then the OSPF entry for secondary link moves from OSPF database to routing table. How long does it take for the routing table to get this update from the database?
Also, what happens when the primary link comes back up? Will it automatically take over in the routing table? I won't be able to test until tomorrow so I'm just wondering.

Francesco Molino · ‎11-29-2017

If you want to have only 1 link ospf at a time, here is the explanation. You can also decide to leverage your monthly costs and use both of them.
When you use 1 at the time:
- both ospf peering will be up and every routes will be learned and filled in OSPF database.
- If RIB, you will see only the one with the primary interface installed (interface with ospf cost 10 let's say. The secondary has ospf cost 100).
When primary link goes down, it take few seconds to get the secondary routes installed (quite no traffic drops). When primary comes back up then in the rib you'll see back all routes learned from your primary interface.

Is that clear? :-)

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

paul driver · ‎11-29-2017

Hello

I dont think you even require EEM to accommodate this if you do require a link state feature for default static routing from a single ASA to dual ISP's, As ip sla should be good enough.

Example:
int f0/0
nameif outside
security-level 0
ip address 192.168.50.1 255.255.255.0

int f0/1
nameif redundant
security-level 0
ip address 172.16.50.1 255.255.255.0

route outside 0.0.0.0 0.0.0.0 192.168.50.100 1 track 5
route redundant 0.0.0.0 0.0.0.0 172.16.50.100 254

sla monitor 10
type echo protocol ipIcmpEcho 8.8.8.4 interface outside
sla monitor schedule 10 life forever start-time now

track 5 rtr 10 reachability

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

ksbolton1 · ‎11-29-2017

My apologies. I should have perhaps labeled this question more clearly. I'm using a router at the remote location which is connected to two ISPs, and each of those ISPs link back to virtual interfaces at my head office.

I am intrigued by the use of IP SLA. I've never used it myself before.

ksbolton1 · ‎11-29-2017

https://www.cisco.com/c/en/us/support/docs/ip/ip-routing/200785-ISP-Failover-with-default-routes-using-I.html

This link seems to give me all I need for IP SLA tracking. I'd combine this with the OSPF alternative suggested by Francesco and I'd be good to go.

ksbolton1 · ‎11-29-2017

Thank you for this suggestion, however it seems 1941 routers we have don't have the data licence installed we can't use IP SLA. That's something I'll have to discuss with accounts.

Georg Pauwen · ‎11-29-2017

Hello,

on a side note, since you have (and pay for) two ISP connections at the remote sites, why not use OSPF load balancing ? Just a thought...

ksbolton1 · ‎11-29-2017

Load balancing meaning equidistant OSPF metrics for each link? If so, that'd be a consideration once we get the automatic failovers working.

Francesco Molino · ‎11-29-2017

Yes

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question