09-18-2013 08:00 AM - edited 03-07-2019 03:33 PM
I have 2 ISP connections.
ATT1 connected to ASA5510 via 192.168.1.1
ATT2 connected to another ASA5510 via 192.168.1.3
I have a 3850 connected to both ASA.
ATT===========ASA1(192.168.1.1)=======3850(same switch as below)
ATT2==========ASA2(192.168.1.3) =======3850(same switch as above)
I have 2 default gateways
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 0.0.0.0 0.0.0.0 192.168.1.3 210
But when i unplug ASA 1 i am unable to default to route 1 and vice versa. No able to go out to the net.
What am i doing wrong?
Solved! Go to Solution.
09-18-2013 08:09 AM
Hi,
I assume that 192.168.1.1 and 192.168.1.3 are in the same subnet?
If you unplug ASA 1, there will still be a routing entry for 192.168.1.1 as part of the 192.168.1.x network (you can check that with show ip route 192.168.1.1 after unplugging ASA 1).
So, the floating static route to 192.168.1.3 will not become active.
Are you familiar with object tracking?
Another solution could be to enable a routing protocol on your ASAs and the c3850 and inject the default routes on the ASAs with different metrics.
Regards
Rolf
09-18-2013 12:25 PM
by the way, i am disconnecting ASA1 by unplugging the outside port on it.....
Ok, if you want to achieve that kind of failover with static routing, object tracking is your friend.
09-18-2013 08:09 AM
Hi,
I assume that 192.168.1.1 and 192.168.1.3 are in the same subnet?
If you unplug ASA 1, there will still be a routing entry for 192.168.1.1 as part of the 192.168.1.x network (you can check that with show ip route 192.168.1.1 after unplugging ASA 1).
So, the floating static route to 192.168.1.3 will not become active.
Are you familiar with object tracking?
Another solution could be to enable a routing protocol on your ASAs and the c3850 and inject the default routes on the ASAs with different metrics.
Regards
Rolf
09-18-2013 08:37 AM
I agree with Rolf that the root of this problem is having both ASA connections in what looks like the same subnet to the 3850. The result of this is that even when ASA1 is disconnected the subnet still appears to be reachable and the static route remains in the routing table. A good solution would be to make the ASA connections into separate subnets.
The suggestions about tracking is also a good one, though it is a bit more complex than just changing subnets. I recently implemented a project where we did object tracking to control a static route on 3850 and it worked quite well. So this is a very viable solution.
HTH
Rick
09-18-2013 11:03 AM
I am not familiar object tracking. Is it the same as PBR? If so, then PBR is not working on the 3850 due to a bug.
09-18-2013 11:16 AM
No, PBR is a different thing.
The idea is to configure ip sla to check reachability of the next-hop(s), e.g. ASA1.
The ip sla status can be tracked and with that tracking object you can deploy conditional routes.
Link: Reliable Static Routing Backup Using Object Tracking
What about Rick's suggestion to use different subnets or enable a routing protocol?
Regards
Rolf
09-18-2013 11:41 AM
Please pardon my ignorance since I am a systems guy working on a network project so I am learning as we speak.
I followed Richards suggestion of changing subnets. So before both ASAs had the inside port set to 192.168.1.x.
I have changed the subnets to reflect as follows:
ASA1: 192.168.100.3
ASA2:192.168.101.1
I then proceeded to create 2 vlans on the 3850:
Vlan 100: 192.168.100.2/24 ===== connected to ASA1 via gi1/0/3 as shown below
Vlan 101:192.168.101.2/24======connected to ASA2 via gi1/0/1 as shown blelow
Switch#show vlan
100 To__ASA1 active Gi1/0/3
101 To_ASA2 active Gi1/0/1
102 Desktop active Gi1/0/13, Gi1/0/15, Gi1/0/17
Gi1/0/19, Gi1/0/21, Gi1/0/23
103 Servers active Gi1/0/2, Gi1/0/4, Gi1/0/6
Gi1/0/8, Gi1/0/10, Gi1/0/12
Switch#show ip int br | ex un
Interface IP-Address OK? Method Status Protocol
Vlan100 192.168.100.2 YES manual up up
Vlan101 192.168.101.2 YES manual up up
Vlan102 192.168.102.1 YES NVRAM up up
Vlan103 192.168.103.1 YES NVRAM up up
Ip route from switch:
ip route 0.0.0.0 0.0.0.0 192.168.100.3
ip route 0.0.0.0 0.0.0.0 192.168.101.1 10
Switch#ping 192.168.103.53 (laptop)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.103.53, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
Switch#ping 192.168.100.2 (vlan ip)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Switch#ping 192.168.101.2 (vlan ip)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Switch#ping 192.168.101.1 (ASA2 interface)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
Switch#ping 192.168.100.3 (ASA1 interface)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
Switch#
Before I was able to use a laptop which was plugged into vlan 103 with static ip of 192.168.103.53/24 gateway of 192.168.103.1, I had internet access now I don’t have internet access.
Any suggestions?
09-18-2013 11:49 AM
I am guessing you may be missing a route on the ASA since you changed the IP address of the internal network. Chances are the route to get to 192.168.103.0/24 was pointing to 192.168.1.1 or 1.3 depending on the firewall but those no longer exist so it would need to point to 192.168.100.3 and 192.168.101.1 depending on the firewall. Post a show run route from your firewall.
09-18-2013 12:06 PM
@KWillacey,
You were right, i had to change the inside route on the firewall to reflect the correct subnet and now i have access to the internet again.
09-18-2013 12:10 PM
@ fisher
I am still not able to route to the secondary route when i unplug ASA1
FW routes are as shown:
ASA1 route Inside 192.168.0.0 255.255.0.0 192.168.100.2 1
ASA2: route Inside 192.168.0.0 255.255.0.0 192.168.101.2 1
as i stated in my previous post, i have access to internet now. By unplugging ASA, 3850 wont failover to secondary route.
09-18-2013 12:14 PM
Do you have any other ports in the VLAN that ASA1's internal interface is connected to? Chances are the VLAN interface is still up so the route will not come out of the table. If that's the case then using routed ports on the 3850 may be better option. When you disconnect ASA1 what is the default route on the switch when you issue a show ip route?
09-18-2013 12:21 PM
With ASA1 unplugged when i run show ip route i get:
S* 0.0.0.0/0 [1/0] via 192.168.100.3
With ASA1 plugged in when i run show ip route i get:
S* 0.0.0.0/0 [1/0] via 192.168.100.3
samething....
When i run show ip route i only get that one route, but when i run show running-config i get
ip route 0.0.0.0 0.0.0.0 192.168.100.3
ip route 0.0.0.0 0.0.0.0 192.168.101.1 10
by the way, i am disconnecting ASA1 by unplugging the outside port on it.....
09-18-2013 12:25 PM
What VLAN is ASA1 using? Do a show vlan on the switch to see if there are any other ports in that VLAN.
09-18-2013 12:20 PM
Can you check if the primary route remains or disappears from the routing table when you unplug ASA1?
Gi1/0/3 shoud change to down, SVI VLAN 100 as well as it seems to the the only active interface in VLAN100.
This is a requirement for the floating static route to become the best route.
09-18-2013 12:25 PM
by the way, i am disconnecting ASA1 by unplugging the outside port on it.....
Ok, if you want to achieve that kind of failover with static routing, object tracking is your friend.
09-18-2013 12:28 PM
Fischer is right, forget my queries, static route tracking will allow you to have automatic failover, so that's the way to go.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide