Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA 5510 DUAL ISP PROBLEM

Hello,

I have configured dual ISP on my ASA Firewall for redundancy. Everything is working fine. When my first link becomes unavailable the asa switches to the backup link, but when my primary link is online again the asa never switches to my primary link.

What do i have to do so that my asa switches back to my primary link when it becomes active again ?

Thanks.

7 REPLIES
Community Member

Re: ASA 5510 DUAL ISP PROBLEM

I have noticed that although my primary link is up for an unknown reason my asa switches to my backup link.

Has anybody faced such a problem ?

Thanks.

Community Member

Re: ASA 5510 DUAL ISP PROBLEM

Hi,

Can you post the config?

Community Member

Re: ASA 5510 DUAL ISP PROBLEM

route outside 0.0.0.0 0.0.0.0 1.1.1.1 1 track 1
route  backup 0.0.0.0 0.0.0.0 2.2.2.2 254

sla monitor 123
type echo  protocol ipIcmpEcho isp_dns_ip interface outside
num-packets 3
frequency  120

sla monitor schedule 123 life forever start-time now
track  1 rtr 123 reachability

I have changed the target ping ip address to an ip address of a router  which is very close to my firewall.Till now everything is working fine.

Cisco Employee

Re: ASA 5510 DUAL ISP PROBLEM

CSCtc16148
CSCsk65652

Check them both out. Neither of them is resolved yet.

Symptom:

Route Tracking may fail to fail back to the primary link/route when restored.

Conditions:

SLA monitor must configured along with ip verify reverse path on the tracked interface.

Workaround:

1. Remove ip verify reverse path off of the tracked interface

or

2. add a static route to the SLA target out the primary tracked interface.

Further Problem Description:

N/A

-KS

Community Member

Re: ASA 5510 DUAL ISP PROBLEM

It seems that i have the same problem that you describe.

I switch succesfuly to the backup link but when the primary links in online again ASA never switches back to the primary link.

I will remove ip verify reverse-path and see what happens....

Community Member

Re: ASA 5510 DUAL ISP PROBLEM

The no ip verify reverse-path on my tracked interface did the trick. Everything is working perfectly now.

Thanks for you help.

Cisco Employee

Re: ASA 5510 DUAL ISP PROBLEM

Glad to hear. Thanks for rating.

-KS

1753
Views
5
Helpful
7
Replies
CreatePlease to create content