The commands may vary slightly but the building blocks are:

ip sla monitor 1
 type echo protocol ipIcmpEcho   source-interface vlan 100
!
ip sla monitor schedule 1 life forever start-time now
!
track 100 rtr 1 reachability
!
ip route 0.0.0.0 0.0.0.0 192.168.100.3 track 100
ip route 0.0.0.0 0.0.0.0 192.168.101.1 10

has to be an IP-address which is only reachable trough ASA1.

Once it's working, we can do some fine-tuning with timeouts etc.

 has to be an IP-address which is only reachable trough ASA1.

Will it be the ip of the ASA or any other IP in that range? Also, commands for 3850 to setup sla is completely different. A bit confusing.......

It should be an IP which gives you a good indication if the primary path is working or not. But it shouldn't be reachable across the secondary path.

The ip sla commands keep changing and changing across the years; unfortunately I didn't had the chance to implement it on a c3850 so far.

I believe that the issue here is that the VLAN interface on the switch will remain in the up state even when the port connecting to the ASA is disconnected. This will cause the primary default route to remain in the routing table. My suggestion of how to fix it is to change the configuration on the interfaces on the switch which connect to the ASAs. Instead of having them as layer 2 switch ports in a VLAN I suggest that you make each of them a routed layer 3 interface and eliminate VLANs 100 and 101. Put the IP address onto the layer 3 routed switch port. Then when the interface is disconnected the interface will go down and the static route should be removed from the routing table and the switch should begin to use the backup/floating route.

HTH

Rick

Rick,

he disconnected the outside FW-interface, so he's looking for a more sophisticated failover mechanism.

Best regards

Rolf

That was my suggestion earlier as well Rick , didn't realize he was disconnecting the outside interface, default route tracking is definitely the way to go.

Can you ping 8.8.8.8 from the switch when sourcing it from 192.168.100.3? I am guessing you can't. Do a ping to 8.8.8.8 and source it from an address that has access to the Internet. Chances are you need to enable that internal subnet on the ASA to have access to the Internet or you may need to allow echo-reply on the firewall.

I can ping 8.8.8.8 from the switch  as shown below

Switch#ping 8.8.8.8

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/24/30 ms

and also from both ASAs.

When you do a ping 8.8.8.8 source 192.168.100.3 does that work? If the ping is successful then the 'Latest Operation Code' should say 'OK' if not then it should say 'Timeout'. The 'Unknown' has me a bit concerned, I will have to check what that means. I have not been able to work with a 3850 yet.

Got it to work!

Had to change the icmp-echo 8.8.8.8 source-ip 192.168.100.3 to 192.168.100.2 (interface of 3850.)

Thank you all for your assistance. Now i have 2 types of failover redundancy. One internal if inside interface of ASA goes down it will switch to secondary ASA and the other for external using ip sla.

Appreciate everyone’s assistance.

Oh right, did not realize that IP was not on the 3850, even though it was staring me right in the face with the default route. Good to know it is working now.

Thanks for the feedback!

In the meantime I took a look in the c3850 command reference and saw that the IP SLA configuration has slightly changed (once more...).

But I was more concerned about the tracking config, it seems to be different in XE as well and I couldn't find the options I was looking for (tracking an IP SLA object). Could you please post that part of the config, this would be very interesting for me since we don't use that platform yet.

... already done;-)

Thanks!

Best regards

Rolf