Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA5510 sla monitor does not fail back

I've been down this path before and never got a resolution to this issue.

ASA5510 Security Plus

Primary ISP conn is Comcast cable

Secondary ISP conn is fract T1

I duplicated the SLA code from http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

When I pull the conn from primary ISP the default route to the secondary comes up

When I reconnect the primary the default route to the secondary does not go away.

I must either reload the ASA or remove/readd the two default outside routes.

Anyone have this same experience and could lend a hand?

Are there any commands I might have in my config that break SLA?

If so I would have hoped either the Configuration Guide or Command Reference for 8.2 would say so, but I don't see any mentioned.

I'm working remotely with my customer so I can't play with this except on off-hours.

ASA running 8.2(2) so as to use AnyConnect Essentials.

Thx,

Phil

  • Firewalling
Everyone's tags (5)
15 REPLIES

Re: ASA5510 sla monitor does not fail back

A sanitized configuration file + topology ( in case of ASA failover set ) will help a little bit resolving the problem.

Thanks

Manish

Cisco Employee

Re: ASA5510 sla monitor does not fail back

Pls. read and try the workaround.

CSCtc16148    SLA monitor fails to fail back when ip verify reverse is applied

Symptom:

Route Tracking may fail to fail back to the primary link/route when restored.

Conditions:

SLA monitor must configured along with ip verify reverse path on the tracked interface.

Workaround:

1. Remove ip verify reverse path off of the tracked interface

or

2. add a static route to the SLA target out the primary tracked interface.



-KS

New Member

Re: ASA5510 sla monitor does not fail back

Not my complete sanitized config, but maybe enough to help.

int e0/0

ip add 10.1.1.1 255.255.255.0

nameif LAN1

security-level 100

int e0/1

ip add 10.1.2.1 255.255.255.0

nameif LAN2

security-level 100

int e0/2

desc Primary ISP

ip add 1.1.1.2 255.255.255.252

nameif P-ISP

security-level 0

int e0/3

desc Secondary/backup ISP

ip add 2.2.2.2 255.255.255.252

nameif S-ISP

security-level 0

same-security-traffic permit inter-interface

ip reverse-pathip verify interface LAN1

ip reverse-pathip verify interface LAN2

ip reverse-pathip verify interface P-ISPip reverse-pathip verify interface S-ISP

no failover

nat-control
global (P-ISP) 1 interface

nat (LAN1) 1 10.1.1.0 255.255.255.0

nat (LAN2) 1 10.1.2.0 255.255.255.0

global (PriISP) 1 interface

static (LAN1,LAN2) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
static (LAN2,LAN1) 10.1.2.0 10.1.2.0 netmask 255.255.255.0

route P-ISP 0.0.0.0 0.0.0.0 1.1.1.1 1 track 1
route S-ISP 0.0.0.0 0.0.0.0 2.2.2.1 254

sla monitor 123
type echo protocol ipIcmpEcho 64.202.128.1 interface outside
  num-packets 3
  frequency 30

sla monitor schedule 123 life forever start-time now
track 1 rtr 123 reachability


The backup ISP is used mainly for site to site VPNS - there are static routes pointing out the backup interface for this and it works fine.

From what I see in the bug I can't have a config like this and have SLA work.

Cisco Employee

Re: ASA5510 sla monitor does not fail back

Yes. That is correct. Or run a code where this is fixed. 8.2.2(7) has the fix.

-KS

New Member

Re: ASA5510 sla monitor does not fail back

How do I get the ASA IOS with the bug fix?

Cisco Employee

Re: ASA5510 sla monitor does not fail back

ASA code:  http://tools.cisco.com/squish/10C815

ASDM image: http://tools.cisco.com/squish/a5338C

You should see 8.2.3 code. Upgrade to that. (NOT to be mixed up with 8.3.2)

-KS

New Member

Re: ASA5510 sla monitor does not fail back

My bad - I was looking specifically for 8.2.2.(7) and did not check the release notes for 8.2.3

I'll download it and verify with my customer.

Thanks for the help - Cisco TAC is still #1

Phil

Cisco Employee

Re: ASA5510 sla monitor does not fail back

Cisco TAC Rocks !!

Good luck.  Rate the posts that helped.

-KS

New Member

ASA5510 sla monitor does not fail back

Hello.

I have the same problem on ASA5510 as was described by Phil Williamson in the first post.

  When I pull the conn from primary ISP the default route to the secondary comes up.

  When I reconnect the primary the default route to the secondary does not go away.

Also if I restart ASA will be used Backup ISP instead of Primary ISP even Primary ISP is available.

Software details:

Cisco Adaptive Security Appliance Software Version 7.2(5)2

Device Manager Version 5.2(5)

Compiled on Wed 19-Jan-11 19:13 by builders

System image file is "disk0:/asa725-2-k8.bin"

Config file at boot was "startup-config"

What should I do? Thanks in advance.

3513
Views
0
Helpful
15
Replies