Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)

ASA issue with multihomed ISPs


Outbound load balancing works fine via eBGP and Provider Independant IPs. All good.

But my plan to load balance inbound traffic is not working out. I was relying on the outside interface of the Standby ASA to go down when the firewall was in standby mode. This would prevent the directly connected WAN switch from injecting the ASA subnet into OSPF, but the interface stays up/up.

Even without standby IPs on the outside interface, it stays up/up on the stanby ASA. This means both my WAN switches are advertising the same IP range to each WAN router, but nly one firewall is ever going to pass the traffic.

Thought about OSPF filtering to make it work, but that's seems like a dead end too.

Maybe I could scrap OSPF and use IP SLA to ping a unique IP on the active ASA, such as the failover link. If the ping fails, then remove the best static route to the active ASA and fall back to a second static router to the other ASA.

Any ideas/pointers?

PS NAT is done on the firewalls, so I've currently splilt the /24 PI IPs in half. Half for the outside infrastructure and half for the NATing on the ASA outside interface.

PPS There are two WAN routers, two WAN switches and obviously the two firewalls.


ASA issue with multihomed ISPs

I've added a strap between WAN switches and flattened out the connectivity with the ASAs, plus running HSRP to provide a single next hop for the ASA default route.

Not perfect traffic flow now, if the Active ASA fails, but at least it load balances.

ASA issue with multihomed ISPs


You are right, the only way to make this work will be using SLA monitoring so you can monitor via ICMP messages the ISP state.


Do rate all helpful posts!!

Julio Carvajal
Senior Network Security and Core Specialist
CreatePlease to create content