02-10-2010 12:47 AM - edited 03-11-2019 10:07 AM
Hello,
I have configured dual ISP on my ASA Firewall for redundancy. Everything is working fine. When my first link becomes unavailable the asa switches to the backup link, but when my primary link is online again the asa never switches to my primary link.
What do i have to do so that my asa switches back to my primary link when it becomes active again ?
Thanks.
02-10-2010 01:38 AM
I have noticed that although my primary link is up for an unknown reason my asa switches to my backup link.
Has anybody faced such a problem ?
Thanks.
02-10-2010 05:03 AM
Hi,
Can you post the config?
02-10-2010 06:07 AM
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1 track 1
route backup 0.0.0.0 0.0.0.0 2.2.2.2 254
sla monitor 123
type echo protocol ipIcmpEcho isp_dns_ip interface outside
num-packets 3
frequency 120
sla monitor schedule 123 life forever start-time now
track 1 rtr 123 reachability
I have changed the target ping ip address to an ip address of a router which is very close to my firewall.Till now everything is working fine.
02-10-2010 06:13 AM
CSCtc16148
CSCsk65652
Check them both out. Neither of them is resolved yet.
Symptom:
Route Tracking may fail to fail back to the primary link/route when restored.
Conditions:
SLA monitor must configured along with ip verify reverse path on the tracked interface.
Workaround:
1. Remove ip verify reverse path off of the tracked interface
or
2. add a static route to the SLA target out the primary tracked interface.
Further Problem Description:
N/A
Can not view this .log file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=sla-mon-sh-tech&ext=log&type=FILE
Can not view this .log file attachment inline, please click on the following link to view the attachment.
http://
-KS
02-11-2010 02:03 AM
It seems that i have the same problem that you describe.
I switch succesfuly to the backup link but when the primary links in online again ASA never switches back to the primary link.
I will remove ip verify reverse-path and see what happens....
02-11-2010 02:11 AM
The no ip verify reverse-path on my tracked interface did the trick. Everything is working perfectly now.
Thanks for you help.
02-11-2010 05:11 PM
Glad to hear. Thanks for rating.
-KS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide