06-29-2007 01:30 PM - edited 03-11-2019 03:37 AM
Hi. I am not 100% sure this is the best forum for this question but here goes... Two ISPs are connected to two interfaces on our ASA 5550. G0/0 = ISP1 and G1/0 = ISP2. How should failover best be approached? I was told active / active via multiple contexts using the ASA but from ONE ASA, can't I simply have BACKUP routes that TRACK somehow? That's my question. Can anyone help me with this? THANKS!!!
06-29-2007 01:35 PM
You need to configure your firewall with ISP failback which was introduced in 7.2.1 code.
In order to configure this we can use following steps:
Failback of ISP works using a new feature called "Static Route Tracking".
The main problem with defining two default static routes with different AD was:
- How to determine if the route with lower AD has failed ??
- The route with lower AD will only be used if the associated interface goes down itself.
Thus, in order to make sure that the current static route is functional we needed something for monitoring
the connectivity using this route.
ICMP was used for this. With Static Route Tracking configured, PIX keeps a check on the static route
using echo-request messages.
When monitoring of a particular route fails, it is removed from the routing table and a previously configured
backup route is used in place of the removed route. A backup route can be another default route with a
higher metric than the existing one.
Following commands can be used for ISP failback:
--> pixfirewall(config)# sla monitor 20
(20 is only a ID here. Valid values are from 1 to 2147483647.)
--> pixfirewall (config-sla-monitor)# type echo protocol ipIcmpEcho 192.168.1.1 interface outside
192.168.1.1 - This is my target IP on which PIX will keep a check. There are options available
on this, but its on your discreation on what you want to keep a check on. For eg:
- We can set PIX to keep a check on some host outside which is accessible via existing static default
route I'm checking.
--> pixfirewall(config)# sla monitor schedule 20 life forever start-time now
- Above command is telling PIX to start monitoring on "sla-id 20" now (start-time now) and
continue monitoring forever (life forever).
Next, I create a "Track ID" to associate a static route entry with the SLA monitoring process.
--> pixfirewall(config)# track 200 rtr 20 reachability
(200 is the Track_id and 20 is the sla-id)
Now we will use above "TRACK" to track a static route on PIX and make sure that the static route is
working fine. This is done using following command:
--> pixfirewall(config)# route outside 0 0 192.168.1.1 1 track 200
How will above work ?
PIX will see that a "Track ID" is associated with the static route. PIX will check the TRACK which is supposed to
track the static route as defined in "SLA", here sla-id (20).
The SLA says to monitor forever and start monitoring as soon as SLA is created and the target it will monitor
through the static route is defined above as "192.168.1.1". This was done in the following command.
--> pixfirewall (config-sla-monitor)# type echo protocol ipIcmpEcho 192.168.1.1 interface outside
To summarize:
In order to configure Static Route Tracking for a static route entered manually, following commands are
entered:
--> pixfirewall(config)# sla monitor 20
--> pixfirewall (config-sla-monitor)# type echo protocol ipIcmpEcho 192.168.1.1 interface outside
--> pixfirewall (config-sla-monitor)# exit
--> pixfirewall(config)# sla monitor schedule 20 life forever start-time now
--> pixfirewall(config)# track 200 rtr 20 reachability
--> pixfirewall(config)# route outside 0 0 192.168.1.1 1 track 200
Hope this helps.
Regards,
Vibhor.
06-29-2007 01:36 PM
Yes, you can create an object track on the asa and a floating static route, here is the doc that will walk you through it...
Please rate helpful posts.
06-29-2007 04:00 PM
Thank you - BOTH of you -- This was EXACTLY what I needed. What spawned this issue is that when a failover occurs, will a backup MX record suffice [which is already in place]? Then the idea of multiple contexts came up so we could do active-active on the two units. Finally, with all backup routes and tunnels configured, I guess I would not need BGP... I know the next question would be load balancing. What do you guys think about that piece? You are VERY helpful with this and I greatly appreciate it!!!!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: