Track next hop

Unanswered Question
Dec 26th, 2006
User Badges:

I have 4503 switches with version 12.2(18)EW2.

I have remote sites connected via VPN going through a PIX firewall that users are also using for Internet access.

I want to move the remote site VPN's to route through a seperate link, but keep the PIX access point as a backup in case of failure of the new link.

I was thinking of trying to configure object tracking to do this along with dead peer detection on the remote PIX 501's.

The problem is the switches don't support object tracking.

I have a router set up as a VPN server in the same subnet as the switch.

Could I use the switch to point user traffic to the subnet and use the router as the object tracking device?

The router is the primary VPN connection, if it's Internet connection is down, point the users to the same subnet through a next hop of the PIX firewall?

I will also have to configure several tracking processes, is that possible too?

Thanks for any input

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
mchin345 Mon, 01/01/2007 - 18:05
User Badges:
  • Silver, 250 points or more

HSRP has a mechanism for tracking the interface line-protocol state. The enhanced object tracking feature separates the tracking mechanism from HSRP. It creates a separate, standalone tracking process that can be used by processes other than HSRP. This feature allows tracking of other objects in addition to the interface line-protocol state. A client process, such as HSRP, can register an interest in tracking objects and request notification when the tracked object changes state. Several clients can track the same object, and can take different actions when the object changes state. This feature increases the availability and speed of recovery of a router system and decreases outages and outage duration.

m-haddad Wed, 01/03/2007 - 09:07
User Badges:
  • Silver, 250 points or more


First object tracking is not support on PIX 501 because object tracking was introduced in PIX/ASA ver 7.0 IOS.

In order to allow the 501 to failover between the two VPN peers you can configure two VPN peers in the policy that is on the 501. So that the PIX will try the first peer and if it fails it will try the second peer.

Below you can find a sample config:

crypto map Test 7 ipsec-isakmp

crypto map Test 7 match address ssa

crypto map Test 7 set peer

crypto map Test 7 set peer

crypto map Test 7 set transform-set MY_Transformset

Please let me know if this solves your problem,

Appreciate your rating,


m-haddad Mon, 01/22/2007 - 15:31
User Badges:
  • Silver, 250 points or more

You're Welcome and thanks for the rate.

Let me know if you need anything further,


richmorrow624 Mon, 01/22/2007 - 16:11
User Badges:

Can you set a preference on the policies?

For example, I want the one policy to be the primary, then if the link is down, to use the other policy.

If the primary link comes back up, I want the 501 to go back to using the primary policy.

Is this possible?

m-haddad Mon, 01/22/2007 - 16:16
User Badges:
  • Silver, 250 points or more

Your PIX will failover to which ever peer it finds alive. Usually, the remote site should be using one ISP at a time and this should let you failover automatically on the PIX.

Let me know if you require further clarification,


richmorrow624 Tue, 01/23/2007 - 07:51
User Badges:

I see what you are saying, but here is the thing:

Both ISPs will normally be up.

The remote end is the PIX 501.

There are two ISP at the main site. The main tunnel is through a router (under normal operation)via Brighthouse.

The backup tunnel would be through a PIX 515E.

I want to configure object tracking on the router to route the traffic to the PIX 501 through the router. If the router cannot ping some ip address between the two sites, I want to route the traffic through the PIX 515E(which is always up also)via Sprint.

The PIX 501 at the remote site will see the secondary peer, but I am not sure if that is ok.

Is there any way to prioritize the policies in the PIX 501 to use the brighthouse policy rather than the Sprint policy, even though it can see both of them, then when only one (Sprint)is available, use it?

m-haddad Tue, 01/23/2007 - 09:08
User Badges:
  • Silver, 250 points or more


I got your point now. Since PIX does not support object tracking another way to consider is to keep the PIX have two peers however, you need to install a router infront of the PIX to perform the object tracking. Therefore, on the remote site you will need an additional Router which will track the other peers.

Question: On the main site how do you switch between the primary and secondary link? In other words, how would your Desktop PCs know which gateway (Pix or Router) to use?

Let me know if this is a feasible solution for you,


richmorrow624 Tue, 01/23/2007 - 10:37
User Badges:

At the main site all users and servers use 4503 switches as their gateway.

I cannot do the enhanced object tracking in the switches, so I have the switches point the users and servers to an 871 router, which is the same router I am using for the VPN endpoint of the remote tunnels.

If the users need to go to one of the remote tunnels, they go:

to 4503-->to 871--> to remote site.

If the users want to go to the internet, they go:

to 4503-->to PIX 515E-->to Internet

(this was the original tunnel endpoint, but I moved it because of the congested link).

I was thinking I could do the object tracking on the 871 and have all the remote VPN traffic go from the 4503 switches to the 871.

If the link that the connects the 871's outside interface to the remote site is down, the 871 could forward the traffic to the PIX515E interface to the alternate provider.

So the 871 inside interface is switching the remote tunnel traffic no matter which link is up.

If the 871 fails, I could have alternate routes in the 4503's point directly to the PIX515E interface, where they were originally.

m-haddad Tue, 01/23/2007 - 11:16
User Badges:
  • Silver, 250 points or more

As I can see you are doing manual intervention for shifting from one ISP to the other. Well, this can be accomplished by using dynamic routing and object tracking betwen the 871 and the 4503.

We still have the remote site which don't know how to trigger which ISP it should use when both ISPs at the main site are up.

The best solution would be:

Remote Site:

Install a router infront of the PIX and use object tracking

Main site:

Run Dynamic Routing between the 871 and 4503 and enable also object tracking on the 871 and this will make the failover automatic from one ISP to the other.

Hope this helps and let me know if you need anything further,



This Discussion