IP SLA

Unanswered Question
Jul 14th, 2008

here's the scenario:


STATIC NAT ON ASA:

Host A - 172.16.205.68 -> 10.10.1.50

Host B - 172.16.202.98 -> 10.10.1.51


All traffics except these 2 hosts above (example) are using via RTR-2. Now, if RTR-2 goes down, failover to RTR-1.


Host A and B will use RTR-1 as primary routes. Now, if RTR-1 goes down, failover to RTR-2.


My IP SLA monitor is on the ASA-Firewall.

route outside 0.0.0.0 0.0.0.0 10.10.1.1 1 track 1

route outside 0.0.0.0 0.0.0.0 10.10.1.3 254

sla monitor 1

type echo protocol ipIcmpEcho 63.75.29.125 interface outside

num-packets 3

timeout 300

frequency 3

sla monitor schedule 1 life forever start-time now

service resetoutside

!

track 1 rtr 1 reachability



IP PBR is on the RTR-2:


interface FastEthernet0/0

ip address 10.10.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip policy route-map serverapps

duplex auto

speed auto



access-list 1 permit 10.10.1.0 0.0.0.255

access-list 2 permit 10.10.1.50

access-list 3 permit 10.10.1.51

!

route-map serverapps permit 100

match ip address 2 3

set ip next-hop 10.10.1.3


RTR-2 ROUTING:

router ospf 1

router-id 10.10.1.1

log-adjacency-changes

network 10.10.1.0 0.0.0.255 area 10

!

ip route 0.0.0.0 0.0.0.0 63.75.29.125



RTR-1 ROUTING:

router ospf 1

router-id 10.10.1.3

log-adjacency-changes

network 10.10.1.0 0.0.0.255 area 10


ip route 0.0.0.0 0.0.0.0 151.131.141.205



I got RTR-2 to RTR-1 SLA working but not RTR-1 to RTR-2. If RTR-1 goes down, should failover to RTR-2 ...





Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
tdrais Mon, 07/14/2008 - 08:48

If I read this correctly the firewall will send all the traffic to router2 as long router 2 connection is functional and router 2 will send all the traffic it does not want to process to router 1.


Kinda a different solution to the problem but work mostly.


The only traffic that ever gets to router 1 in the normal case is coming from router 2. What you need to do is have router 2 track router 1 internet connection and not policy router if its down. This is done with the reachabilty option and the track option on the policy router statemnet

Gerard Gacusan Mon, 07/14/2008 - 09:06

That is correct, firewall sends all traffic to router-2. I need this scenario below.


router-1 - critical applications

backup route: router-2


router-2 - non-critical applications

backup route: router-1



tdrais Mon, 07/14/2008 - 09:16

The more common solution would be to do the policy routing for the critical apps on the firewall but I don't know if the ASA can use the track options on policy routing.


Since you have this much working just add the track to your policy route on router 2 and it will all work. You already know how to do the hard part which is creation of the track object.


The only issue would be to make sure rtr 2 know how to get to rtr 1 internet provider via you internal network rather than the internet but you could monitor via the internet if you really wanted to.

Actions

This Discussion