06-05-2012 01:42 AM
Dear All,
I have configured then tested a ASA 5505 with Base License and ver 8.4(2) in Lab environment, and all seems works well.
So in the Lab when I stop the communication with the tracked object 8.8.8.8, the SLA Monitor configured in the ASA changes from the primary link connected to the ISP1 to the secondary link ISP2. Finally when I re-start the communication with the tracked object the active ISP is changed again on ISP1.
After the Lab I goes live with the same configuration the same Base license, but with different IOS 8.4(4), I got a different behavior. I can not reach the interface 82.19.63.190/30 but I can reach 82.19.63.189, so I connect on the serial link using OOB modem. I check the routing table, and I see that the default route about ISP1 is not present in the table even if it is in the config, there is a default route on the table but about the ISP2.
It seems that the sla monitor has changed the on the ISP2 even if the tracked object 8.8.8.8 is reachable, infact if I add again the default route about ISP1 then I can ping the 8.8.8.8...
Why the SLA Monitor works in this way?
Follow the Asa 5055 config:
sh runn
: Saved
:
ASA Version 8.4(2)
!
hostname aaaa
domain-name i.com
names
!
interface Ethernet0/0
switchport access vlan 100
!
interface Ethernet0/1
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
<--- More --->
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
switchport access vlan 110
!
interface Vlan1
shutdown
no nameif
no security-level
no ip address
!
interface Vlan2
nameif inside
security-level 100
ip address 192.168.100.6 255.255.255.192
!
interface Vlan100
nameif outside
<--- More --->
security-level 0
ip address 82.19.63.190 255.255.255.252
!
interface Vlan110
no forward interface Vlan100
nameif backup_out
security-level 0
ip address 10.10.10.10 255.255.255.224
!
ftp mode passive
dns server-group DefaultDNS
domain-name intranet.denso-ts.it
object-group network NETWORK_OBJ_172.20.0.0_22
network-object 172.20.0.0 255.255.252.0
access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.252.0 172.20.0.0 255.255.252.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu backup_out 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_22 NETWORK_OBJ_192.168.100.0_22 destination static NETWORK_OBJ_172.20.0.0_22 NETWORK_OBJ_172.20.0.0_22
route outside 0.0.0.0 0.0.0.0 82.19.63.189 1 track 1
route backup_out 0.0.0.0 0.0.0.0 10.10.10.11 200
route inside 192.168.100.64 255.255.255.192 172.26.100.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http 192.168.100.12 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sla monitor 1
type echo protocol ipIcmpEcho 8.8.8.8 interface outside
timeout 2
frequency 3
sla monitor schedule 1 life forever start-time now
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3des-SHA esp-3des esp-sha-hmac
crypto map ouside_map 1 match address outside_1_cryptomap
crypto map ouside_map 1 set pfs group5
crypto map ouside_map 1 set peer 47.8.7.67
crypto map ouside_map 1 set ikev1 transform-set ESP-3des-SHA
crypto map ouside_map interface outside
crypto map ouside_map interface backup_out
no crypto isakmp nat-traversal
crypto ikev1 enable outside
crypto ikev1 enable backup_out
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
track 1 rtr 1 reachability
telnet timeout 5
ssh timeout 30
console timeout 0
management-access inside
dhcpd auto_config inside
!
threat-detection basic-threat
<--- More --->
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username fabrizio password 5ztInRySM8E.ym/Q encrypted
tunnel-group 47.8.7.67 type ipsec-l2l
tunnel-group 47.8.7.67 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
<--- More --->
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
<--- More --->
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:a7dbcaefbef742e4e19766de630ba790
: end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide