09-16-2010 10:51 AM
We have site (A) and site (B), there is layer 2 connectivity between the two sites. The primary ASA is located at site A and the standby ASA is located at site B. Each site has its own internet connection using BGP. If the primary ASA fails the secondary takes over, but if the L2 connectivity is lost both go active.
Is there anyway to use interface tracking on the primary ASA so that if it loses connectivity to an IP address at site B it shuts down its interface and goes into failed status, so when the secondary ASA goes active there is no IP address conflict.
09-16-2010 12:40 PM
Have not really done it that way, but I'm pretty sure it should work with the IP SLA feature on the ASA.
Have you tried it already?
Federico.
09-16-2010 12:42 PM
No, I am looking for advice and how to configure IPSLA to shut down an interface if an IP is unreachable
09-16-2010 12:57 PM
I believe you can have a static route to that IP that you want to monitor and track that route, so that the ASA considers that link down if the IP is unreachable.
Check this link for Monitoring a Static or Default Route:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/route_static.html#wp1119813
Federico.
09-16-2010 01:18 PM
thanks, but how can I force the ASA into a failed state if the tracked IP address is unreachable?
09-17-2010 01:00 AM
Hey,
Well the way SLA monitoring on ASA works, the purpose is to have a backup link in case the primary one fails using a feature called "Static route Tracking". This is given in the document that Frederico posted. It will not help you with your requirement exactly.
How is the failover interface between the 2 ASAs connected? It is recommended for them to be connected either directly or using a switch in between. We need to basically ensure that the 2 ASAs never lose connectivity over the Failover interface. Please ensure that you do this. If you have this, you should not face the problem of both the ASAs going active.
Please do paste a diagram of how the failover interface is connected presently.
Hope this helps!!
Regards,
Prapanch
09-17-2010 05:26 AM
Well, actually there are three sites connected by 10GB Fiber, the ASA;s are in two different locations. I just wanted to know if there is a multi-site failover solution that allows the VPN on the ASA to have failover without splitting the pairs? and without configuring a secondary peer
09-17-2010 08:27 AM
Well, if you have active/standby failover configured on the ASAs with stateful failover, VPN should failover automatically whenever devices failover. That fits the requirement you have.
Details on what all are copied from the active to the standby ASA iwth stateful failover is given below:
If the 2 ASAs are in different locations then please ensure that we have a reliable connection between them on the "failover interface" and the "stateful failover link" as well for failover to function properly.
Regards,
Prapanch
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide