09-18-2013 08:00 AM - edited 03-07-2019 03:33 PM
I have 2 ISP connections.
ATT1 connected to ASA5510 via 192.168.1.1
ATT2 connected to another ASA5510 via 192.168.1.3
I have a 3850 connected to both ASA.
ATT===========ASA1(192.168.1.1)=======3850(same switch as below)
ATT2==========ASA2(192.168.1.3) =======3850(same switch as above)
I have 2 default gateways
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 0.0.0.0 0.0.0.0 192.168.1.3 210
But when i unplug ASA 1 i am unable to default to route 1 and vice versa. No able to go out to the net.
What am i doing wrong?
Solved! Go to Solution.
09-18-2013 12:28 PM
you are both right....... i just unplugged ASA1 from the inside port and it failed over to the secondary route......
Please pardon my ignorance so i guess i was looking for object tracking.....
Any help in that area would be appreciated......
09-18-2013 12:46 PM
The commands may vary slightly but the building blocks are:
ip sla monitor 1
type echo protocol ipIcmpEcho
source-interface vlan 100 !
ip sla monitor schedule 1 life forever start-time now
!
track 100 rtr 1 reachability
!
ip route 0.0.0.0 0.0.0.0 192.168.100.3 track 100
ip route 0.0.0.0 0.0.0.0 192.168.101.1 10
Once it's working, we can do some fine-tuning with timeouts etc.
09-18-2013 01:12 PM
has to be an IP-address which is only reachable trough ASA1.
Will it be the ip of the ASA or any other IP in that range? Also, commands for 3850 to setup sla is completely different. A bit confusing.......
09-18-2013 01:19 PM
It should be an IP which gives you a good indication if the primary path is working or not. But it shouldn't be reachable across the secondary path.
The ip sla commands keep changing and changing across the years; unfortunately I didn't had the chance to implement it on a c3850 so far.
09-18-2013 12:52 PM
I believe that the issue here is that the VLAN interface on the switch will remain in the up state even when the port connecting to the ASA is disconnected. This will cause the primary default route to remain in the routing table. My suggestion of how to fix it is to change the configuration on the interfaces on the switch which connect to the ASAs. Instead of having them as layer 2 switch ports in a VLAN I suggest that you make each of them a routed layer 3 interface and eliminate VLANs 100 and 101. Put the IP address onto the layer 3 routed switch port. Then when the interface is disconnected the interface will go down and the static route should be removed from the routing table and the switch should begin to use the backup/floating route.
HTH
Rick
09-18-2013 12:58 PM
Rick,
he disconnected the outside FW-interface, so he's looking for a more sophisticated failover mechanism.
Best regards
Rolf
09-18-2013 01:08 PM
That was my suggestion earlier as well Rick , didn't realize he was disconnecting the outside interface, default route tracking is definitely the way to go.
09-20-2013 07:06 AM
For a 3850 the commands a bit different for ip sla.
ip sla 1
icmp-echo 8.8.8.8 source-ip 192.168.100.3 192.168.100.2
ip sla schedule 1 life forever start-time now
track 1 ip sla 1 reachability
ip route 0.0.0.0 0.0.0.0 192.168.100.3 track 1
ip route 0.0.0.0 0.0.0.0 192.168.101.1 10
ip route 8.8.8.8 255.255.255.255 192.168.100.3 permanent
All this applied successfully, but when i simulate downage on ASA, 3850 wont resort to default route. (working now)
When i type show ip sla summary:
Switch# show ip sla summary
IPSLAs Latest Operation Summary
ID Type Destination Stats Return Last
(ms) Code Run
----------- ---------- --------------- ------ ---------- -----------------
^1 icmp-echo 8.8.8.8 - Unknown 3 days, 15 hours,
25 minutes, 0 seco
nds ago
Switch#show track
Track 1
IP SLA 1 reachability
Reachability is Down
1 change, last change 18:02:57
Latest operation return code: Unknown
Tracked by:
STATIC-IP-ROUTINGTrack-list 0
any suggestions?
09-20-2013 07:12 AM
Can you ping 8.8.8.8 from the switch when sourcing it from 192.168.100.3? I am guessing you can't. Do a ping to 8.8.8.8 and source it from an address that has access to the Internet. Chances are you need to enable that internal subnet on the ASA to have access to the Internet or you may need to allow echo-reply on the firewall.
09-20-2013 07:15 AM
I can ping 8.8.8.8 from the switch as shown below
Switch#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/24/30 ms
and also from both ASAs.
09-20-2013 08:09 AM
When you do a ping 8.8.8.8 source 192.168.100.3 does that work? If the ping is successful then the 'Latest Operation Code' should say 'OK' if not then it should say 'Timeout'. The 'Unknown' has me a bit concerned, I will have to check what that means. I have not been able to work with a 3850 yet.
09-20-2013 08:58 AM
Got it to work!
Had to change the icmp-echo 8.8.8.8 source-ip 192.168.100.3 to 192.168.100.2 (interface of 3850.)
Thank you all for your assistance. Now i have 2 types of failover redundancy. One internal if inside interface of ASA goes down it will switch to secondary ASA and the other for external using ip sla.
Appreciate everyone’s assistance.
09-20-2013 09:13 AM
Oh right, did not realize that IP was not on the 3850, even though it was staring me right in the face with the default route. Good to know it is working now.
09-20-2013 09:18 AM
Thanks for the feedback!
In the meantime I took a look in the c3850 command reference and saw that the IP SLA configuration has slightly changed (once more...).
But I was more concerned about the tracking config, it seems to be different in XE as well and I couldn't find the options I was looking for (tracking an IP SLA object). Could you please post that part of the config, this would be very interesting for me since we don't use that platform yet.
... already done;-)
Thanks!
Best regards
Rolf
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide