Unanswered Question
Jul 14th, 2008
User Badges:

here's the scenario:


Host A - ->

Host B - ->

All traffics except these 2 hosts above (example) are using via RTR-2. Now, if RTR-2 goes down, failover to RTR-1.

Host A and B will use RTR-1 as primary routes. Now, if RTR-1 goes down, failover to RTR-2.

My IP SLA monitor is on the ASA-Firewall.

route outside 1 track 1

route outside 254

sla monitor 1

type echo protocol ipIcmpEcho interface outside

num-packets 3

timeout 300

frequency 3

sla monitor schedule 1 life forever start-time now

service resetoutside


track 1 rtr 1 reachability

IP PBR is on the RTR-2:

interface FastEthernet0/0

ip address

ip nat inside

ip virtual-reassembly

ip policy route-map serverapps

duplex auto

speed auto

access-list 1 permit

access-list 2 permit

access-list 3 permit


route-map serverapps permit 100

match ip address 2 3

set ip next-hop


router ospf 1



network area 10


ip route


router ospf 1



network area 10

ip route

I got RTR-2 to RTR-1 SLA working but not RTR-1 to RTR-2. If RTR-1 goes down, should failover to RTR-2 ...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
tdrais Mon, 07/14/2008 - 08:48
User Badges:
  • Blue, 1500 points or more

If I read this correctly the firewall will send all the traffic to router2 as long router 2 connection is functional and router 2 will send all the traffic it does not want to process to router 1.

Kinda a different solution to the problem but work mostly.

The only traffic that ever gets to router 1 in the normal case is coming from router 2. What you need to do is have router 2 track router 1 internet connection and not policy router if its down. This is done with the reachabilty option and the track option on the policy router statemnet

Gerard Gacusan Mon, 07/14/2008 - 09:06
User Badges:

That is correct, firewall sends all traffic to router-2. I need this scenario below.

router-1 - critical applications

backup route: router-2

router-2 - non-critical applications

backup route: router-1

tdrais Mon, 07/14/2008 - 09:16
User Badges:
  • Blue, 1500 points or more

The more common solution would be to do the policy routing for the critical apps on the firewall but I don't know if the ASA can use the track options on policy routing.

Since you have this much working just add the track to your policy route on router 2 and it will all work. You already know how to do the hard part which is creation of the track object.

The only issue would be to make sure rtr 2 know how to get to rtr 1 internet provider via you internal network rather than the internet but you could monitor via the internet if you really wanted to.


This Discussion