ASA, tracking, failover

Answered Question
May 28th, 2010
User Badges:

Hello,


I'm having a problem when I put in the tracking option on my default route, I lose connection all together.

I have a T1 (outside) used as primary connection, and a DSL line (backup) plugged in for a failover.

This is an ASA with the Security Plus package, so the failover option should be working.



route outside 0.0.0.0 0.0.0.0 1.2.3.1 1

route backup 0.0.0.0 0.0.0.0 7.8.9.1 254


These are my routes.  When I try to put:



route outside 0.0.0.0 0.0.0.0 1.2.3.1 1 track 1


I completely lose connection.  I've even tried "write mem" and "reload" hoping to bring up the connection.


Here is the config that pertains to the routes:



interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.253 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 1.2.3.2 255.255.255.248

!

interface Vlan3

nameif backup

security-level 0

ip address 7.8.9.2 255.255.255.0

!



route outside 0.0.0.0 0.0.0.0 1.2.3.1 1

route backup 0.0.0.0 0.0.0.0 7.8.9.1 254

!


sla monitor 666

type echo protocol ipIcmpEcho 1.2.3.4 interface outside

num-packets 3

frequency 10

!

track 1 rtr 666 reachability







I haven't put in


sla monitor schedule 666 life forever start-time now


Yet because I want to make sure the default route works.  My understanding is that just adding in "track 1" to the end of the route doesn't do anything until I activate the timer with the "sla monitor" line.





Any ideas as to which part of this feature I have wrong?

Correct Answer by Panos Kampanakis about 7 years 1 month ago

I would suggest following http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml#cli

The config will look like


---------------

route outside 0.0.0.0 0.0.0.0 1 track 1
route backup 0.0.0.0 0.0.0.0 254


sla monitor 123
type echo protocol ipIcmpEcho interface outside
num-packets 3
frequency 10


sla monitor schedule 123 life forever start-time now


track 1 rtr 123 reachability

---------------


I hope it helps.


PK

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Kelvin Willacey Fri, 05/28/2010 - 10:37
User Badges:
  • Bronze, 100 points or more

Have you verified if the track statement is up with "sh sla monitor operational-state"? Have you configured the global statement for the backup link?


Becasue if for whatever reason the track fails then the backup should take over as in your case. So verify those two things.

Correct Answer
Panos Kampanakis Fri, 05/28/2010 - 17:42
User Badges:
  • Cisco Employee,

I would suggest following http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml#cli

The config will look like


---------------

route outside 0.0.0.0 0.0.0.0 1 track 1
route backup 0.0.0.0 0.0.0.0 254


sla monitor 123
type echo protocol ipIcmpEcho interface outside
num-packets 3
frequency 10


sla monitor schedule 123 life forever start-time now


track 1 rtr 123 reachability

---------------


I hope it helps.


PK

scott.bridges Thu, 06/10/2010 - 22:28
User Badges:

Thanks guys and sorry for the delay.


I didn't know about the show operational state command, which lead me to see that the ICMP was timing out.


I then just started from scratch, changed the instance to the example "123" exactly how it was in the post, and changed the test IP to the T1 lines' DNS server.


All worked after that point.


Thanks again.  I was thinking I could change the "123", which I probably can, but I'll just keep it at default.

Actions

This Discussion