I agree with Rolf that the root of this problem is having both ASA connections in what looks like the same subnet to the 3850. The result of this is that even when ASA1 is disconnected the subnet still appears to be reachable and the static route remains in the routing table. A good solution would be to make the ASA connections into separate subnets.

The suggestions about tracking is also a good one, though it is a bit more complex than just changing subnets. I recently implemented a project where we did object tracking to control a static route on 3850 and it worked quite well. So this is a very viable solution.

HTH

Rick

I am not familiar object tracking. Is it the same as PBR? If so, then PBR is not working on the 3850 due to a bug.

No, PBR is a different thing.

The idea is to configure ip sla to check reachability of the next-hop(s), e.g. ASA1.

The ip sla status can be tracked and with that tracking object you can deploy conditional routes.

Link: Reliable Static Routing Backup Using Object Tracking

What about Rick's suggestion to use different subnets or enable a routing protocol?

Regards

Rolf

Please pardon my ignorance since I am a systems guy working on a network project so I am learning as we speak.

I followed Richards suggestion of changing subnets. So before both ASAs had the inside port set to 192.168.1.x.

I have changed the subnets to reflect as follows:

ASA1: 192.168.100.3

ASA2:192.168.101.1

I then proceeded to create 2 vlans on the 3850:

Vlan 100: 192.168.100.2/24 ===== connected to ASA1 via gi1/0/3 as shown below

Vlan 101:192.168.101.2/24======connected to ASA2 via gi1/0/1 as shown blelow

Switch#show vlan

100 To__ASA1                       active   Gi1/0/3

101 To_ASA2                       active   Gi1/0/1

102 Desktop                         active   Gi1/0/13, Gi1/0/15, Gi1/0/17

                                                Gi1/0/19, Gi1/0/21, Gi1/0/23

103 Servers                         active   Gi1/0/2, Gi1/0/4, Gi1/0/6

                                               Gi1/0/8, Gi1/0/10, Gi1/0/12

Switch#show ip int br | ex un

Interface             IP-Address     OK? Method Status               Protocol

Vlan100               192.168.100.2   YES manual up                   up

Vlan101                192.168.101.2   YES manual up                   up

Vlan102               192.168.102.1   YES NVRAM up                   up

Vlan103               192.168.103.1   YES NVRAM up                   up

Ip route from switch:

ip route 0.0.0.0 0.0.0.0 192.168.100.3

ip route 0.0.0.0 0.0.0.0 192.168.101.1 10

Switch#ping 192.168.103.53 (laptop)

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.103.53, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

Switch#ping 192.168.100.2 (vlan ip)

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.100.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Switch#ping 192.168.101.2 (vlan ip)

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.101.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Switch#ping 192.168.101.1 (ASA2 interface)

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.101.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

Switch#ping 192.168.100.3 (ASA1 interface)

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.100.3, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

Switch#

Before I was able to use a laptop which was plugged into vlan 103 with static ip of 192.168.103.53/24 gateway of 192.168.103.1, I had internet access now I don’t have internet access.

Any suggestions?

I am guessing you may be missing a route on the ASA since you changed the IP address of the internal network. Chances are the route to get to 192.168.103.0/24 was pointing to 192.168.1.1 or 1.3 depending on the firewall but those no longer exist so it would need to point to 192.168.100.3 and 192.168.101.1 depending on the firewall. Post a show run route from your firewall.

@KWillacey,

You were right, i had to change the inside route on the firewall to reflect the correct subnet and now i have access to the internet again.

Do you have any other ports in the VLAN that ASA1's internal interface is connected to? Chances are the VLAN interface is still up so the route will not come out of the table. If that's the case then using routed ports on the 3850 may be better option. When you disconnect ASA1 what is the default route on the switch when you issue a show ip route?

With ASA1 unplugged when i run show ip route i get:

S*    0.0.0.0/0 [1/0] via 192.168.100.3

With ASA1 plugged in when i run show ip route i get:

S*    0.0.0.0/0 [1/0] via 192.168.100.3

samething....

When i run show ip route i only get that one route, but when i run show running-config i get

ip route 0.0.0.0 0.0.0.0 192.168.100.3

ip route 0.0.0.0 0.0.0.0 192.168.101.1 10

by the way, i am disconnecting ASA1 by unplugging the outside port on it.....

What VLAN is ASA1 using? Do a show vlan on the switch to see if there are any other ports in that VLAN.

Can you check if the primary route remains or disappears from the routing table when you unplug ASA1?

Gi1/0/3 shoud change to down, SVI VLAN 100 as well as it seems to the the only active interface in VLAN100.

This is a requirement for the floating static route to become the best route.

Fischer is right, forget my queries, static route tracking will allow you to have automatic failover, so that's the way to go.