Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Multiple static routes to gateway

I have 2 ISP connections.

ATT1 connected to ASA5510 via 192.168.1.1

ATT2 connected to another ASA5510 via 192.168.1.3

I have a 3850 connected to both ASA.

ATT===========ASA1(192.168.1.1)=======3850(same switch as below)

ATT2==========ASA2(192.168.1.3) =======3850(same switch as above)

I have 2 default gateways

    

ip route 0.0.0.0 0.0.0.0 192.168.1.1

ip route 0.0.0.0 0.0.0.0 192.168.1.3 210

But when i unplug ASA 1 i am unable to default to route 1 and vice versa. No able to go out to the net.

What am i doing wrong?

Everyone's tags (2)
2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: Multiple static routes to gateway

Hi,

I assume that 192.168.1.1 and 192.168.1.3 are in the same subnet?

If you unplug ASA 1, there will still be a routing entry for 192.168.1.1 as part of the 192.168.1.x network (you can check that with show ip route 192.168.1.1 after unplugging ASA 1).

So, the floating static route to 192.168.1.3 will not become active.

Are you familiar with object tracking?

Another solution could be to enable a routing protocol on your ASAs and the c3850 and inject the default routes on the ASAs with different metrics.

Regards

Rolf

Multiple static routes to gateway

by the way, i am disconnecting ASA1 by unplugging the outside port on it.....

Ok, if you want to achieve that kind of failover with static routing, object tracking is your friend.

28 REPLIES

Re: Multiple static routes to gateway

Hi,

I assume that 192.168.1.1 and 192.168.1.3 are in the same subnet?

If you unplug ASA 1, there will still be a routing entry for 192.168.1.1 as part of the 192.168.1.x network (you can check that with show ip route 192.168.1.1 after unplugging ASA 1).

So, the floating static route to 192.168.1.3 will not become active.

Are you familiar with object tracking?

Another solution could be to enable a routing protocol on your ASAs and the c3850 and inject the default routes on the ASAs with different metrics.

Regards

Rolf

Hall of Fame Super Silver

Multiple static routes to gateway

I agree with Rolf that the root of this problem is having both ASA connections in what looks like the same subnet to the 3850. The result of this is that even when ASA1 is disconnected the subnet still appears to be reachable and the static route remains in the routing table. A good solution would be to make the ASA connections into separate subnets.

The suggestions about tracking is also a good one, though it is a bit more complex than just changing subnets. I recently implemented a project where we did object tracking to control a static route on 3850 and it worked quite well. So this is a very viable solution.

HTH

Rick

New Member

Re: Multiple static routes to gateway

I am not familiar object tracking. Is it the same as PBR? If so, then PBR is not working on the 3850 due to a bug.

Multiple static routes to gateway

No, PBR is a different thing.

The idea is to configure ip sla to check reachability of the next-hop(s), e.g. ASA1.

The ip sla status can be tracked and with that tracking object you can deploy conditional routes.

Link: Reliable Static Routing Backup Using Object Tracking

What about Rick's suggestion to use different subnets or enable a routing protocol?

Regards

Rolf

New Member

Re: Multiple static routes to gateway

Please pardon my ignorance since I am a systems guy working on a network project so I am learning as we speak.

I followed Richards suggestion of changing subnets. So before both ASAs had the inside port set to 192.168.1.x.

I have changed the subnets to reflect as follows:

ASA1: 192.168.100.3

ASA2:192.168.101.1

I then proceeded to create 2 vlans on the 3850:

Vlan 100: 192.168.100.2/24 ===== connected to ASA1 via gi1/0/3 as shown below

Vlan 101:192.168.101.2/24======connected to ASA2 via gi1/0/1 as shown blelow

Switch#show vlan

100 To__ASA1                       active   Gi1/0/3

101 To_ASA2                       active   Gi1/0/1

102 Desktop                         active   Gi1/0/13, Gi1/0/15, Gi1/0/17

                                                Gi1/0/19, Gi1/0/21, Gi1/0/23

103 Servers                         active   Gi1/0/2, Gi1/0/4, Gi1/0/6

                                               Gi1/0/8, Gi1/0/10, Gi1/0/12

Switch#show ip int br | ex un

Interface             IP-Address     OK? Method Status               Protocol

Vlan100               192.168.100.2   YES manual up                   up

Vlan101                192.168.101.2   YES manual up                   up

Vlan102               192.168.102.1   YES NVRAM up                   up

Vlan103               192.168.103.1   YES NVRAM up                   up

Ip route from switch:

ip route 0.0.0.0 0.0.0.0 192.168.100.3

ip route 0.0.0.0 0.0.0.0 192.168.101.1 10

Switch#ping 192.168.103.53 (laptop)

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.103.53, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

Switch#ping 192.168.100.2 (vlan ip)

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.100.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Switch#ping 192.168.101.2 (vlan ip)

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.101.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Switch#ping 192.168.101.1 (ASA2 interface)

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.101.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

Switch#ping 192.168.100.3 (ASA1 interface)

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.100.3, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

Switch#

Before I was able to use a laptop which was plugged into vlan 103 with static ip of 192.168.103.53/24 gateway of 192.168.103.1, I had internet access now I don’t have internet access.

Any suggestions?

Re: Multiple static routes to gateway

I am guessing you may be missing a route on the ASA since you changed the IP address of the internal network. Chances are the route to get to 192.168.103.0/24 was pointing to 192.168.1.1 or 1.3 depending on the firewall but those no longer exist so it would need to point to 192.168.100.3 and 192.168.101.1 depending on the firewall. Post a show run route from your firewall.

New Member

Re: Multiple static routes to gateway

@KWillacey,

You were right, i had to change the inside route on the firewall to reflect the correct subnet and now i have access to the internet again.

New Member

Re: Multiple static routes to gateway

@ fisher

I am still not able to route to the secondary route when i unplug ASA1

FW routes are as shown:

ASA1  route Inside 192.168.0.0 255.255.0.0 192.168.100.2 1

ASA2: route Inside 192.168.0.0 255.255.0.0 192.168.101.2 1

as i stated in my previous post, i have access to internet now. By unplugging ASA, 3850 wont failover to secondary route.

Re: Multiple static routes to gateway

Do you have any other ports in the VLAN that ASA1's internal interface is connected to? Chances are the VLAN interface is still up so the route will not come out of the table. If that's the case then using routed ports on the 3850 may be better option. When you disconnect ASA1 what is the default route on the switch when you issue a show ip route?

New Member

Re: Multiple static routes to gateway

With ASA1 unplugged when i run show ip route i get:

S*    0.0.0.0/0 [1/0] via 192.168.100.3

With ASA1 plugged in when i run show ip route i get:

S*    0.0.0.0/0 [1/0] via 192.168.100.3

samething....

When i run show ip route i only get that one route, but when i run show running-config i get

ip route 0.0.0.0 0.0.0.0 192.168.100.3

ip route 0.0.0.0 0.0.0.0 192.168.101.1 10

by the way, i am disconnecting ASA1 by unplugging the outside port on it.....

Re: Multiple static routes to gateway

What VLAN is ASA1 using? Do a show vlan on the switch to see if there are any other ports in that VLAN.

Multiple static routes to gateway

Can you check if the primary route remains or disappears from the routing table when you unplug ASA1?

Gi1/0/3 shoud change to down, SVI VLAN 100 as well as it seems to the the only active interface in VLAN100.

This is a requirement for the floating static route to become the best route.

Multiple static routes to gateway

by the way, i am disconnecting ASA1 by unplugging the outside port on it.....

Ok, if you want to achieve that kind of failover with static routing, object tracking is your friend.

Multiple static routes to gateway

Fischer is right, forget my queries, static route tracking will allow you to have automatic failover, so that's the way to go.

New Member

Re: Multiple static routes to gateway

you are both right....... i just unplugged ASA1 from the inside port and it failed over to the secondary route......

Please pardon my ignorance so i guess i was looking for object tracking.....

Any help in that area would be appreciated......

Re: Multiple static routes to gateway

The commands may vary slightly but the building blocks are:

ip sla monitor 1

type echo protocol ipIcmpEcho   source-interface vlan 100

!

ip sla monitor schedule 1 life forever start-time now

!

track 100 rtr 1 reachability

!

ip route 0.0.0.0 0.0.0.0 192.168.100.3 track 100

ip route 0.0.0.0 0.0.0.0 192.168.101.1 10

has to be an IP-address which is only reachable trough ASA1.

Once it's working, we can do some fine-tuning with timeouts etc.

New Member

Multiple static routes to gateway

has to be an IP-address which is only reachable trough ASA1.

Will it be the ip of the ASA or any other IP in that range? Also, commands for 3850 to setup sla is completely different. A bit confusing.......

Re: Multiple static routes to gateway

It should be an IP which gives you a good indication if the primary path is working or not. But it shouldn't be reachable across the secondary path.

The ip sla commands keep changing and changing across the years; unfortunately I didn't had the chance to implement it on a c3850 so far.

Hall of Fame Super Silver

Multiple static routes to gateway

I believe that the issue here is that the VLAN interface on the switch will remain in the up state even when the port connecting to the ASA is disconnected. This will cause the primary default route to remain in the routing table. My suggestion of how to fix it is to change the configuration on the interfaces on the switch which connect to the ASAs. Instead of having them as layer 2 switch ports in a VLAN I suggest that you make each of them a routed layer 3 interface and eliminate VLANs 100 and 101. Put the IP address onto the layer 3 routed switch port. Then when the interface is disconnected the interface will go down and the static route should be removed from the routing table and the switch should begin to use the backup/floating route.

HTH

Rick

Re: Multiple static routes to gateway

Rick,

he disconnected the outside FW-interface, so he's looking for a more sophisticated failover mechanism.

Best regards

Rolf

Re: Multiple static routes to gateway

That was my suggestion earlier as well Rick , didn't realize he was disconnecting the outside interface, default route tracking is definitely the way to go.

New Member

Re: Multiple static routes to gateway

For a 3850 the commands a bit different for ip sla.

ip sla 1

icmp-echo 8.8.8.8 source-ip 192.168.100.3 192.168.100.2

ip sla schedule 1 life forever start-time now

track 1 ip sla 1 reachability

ip route 0.0.0.0 0.0.0.0 192.168.100.3 track 1

ip route 0.0.0.0 0.0.0.0 192.168.101.1 10 

ip route 8.8.8.8 255.255.255.255 192.168.100.3 permanent

All this applied successfully, but when i simulate downage on ASA, 3850 wont resort to default route.   (working now)

When i type show ip sla summary:

Switch# show ip sla summary

IPSLAs Latest Operation Summary


ID          Type       Destination       Stats   Return      Last
                                          (ms)    Code        Run
----------- ---------- ---------------  ------ ---------- -----------------
^1          icmp-echo  8.8.8.8          -        Unknown    3 days, 15 hours,
                                                            25 minutes, 0 seco
                                                            nds ago

Switch#show track

Track 1

  IP SLA 1 reachability

  Reachability is Down

    1 change, last change 18:02:57

  Latest operation return code: Unknown

  Tracked by:

    STATIC-IP-ROUTINGTrack-list 0

any suggestions?

Multiple static routes to gateway

Can you ping 8.8.8.8 from the switch when sourcing it from 192.168.100.3? I am guessing you can't. Do a ping to 8.8.8.8 and source it from an address that has access to the Internet. Chances are you need to enable that internal subnet on the ASA to have access to the Internet or you may need to allow echo-reply on the firewall.

New Member

Multiple static routes to gateway

I can ping 8.8.8.8 from the switch  as shown below

Switch#ping 8.8.8.8

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/24/30 ms

and also from both ASAs.

Multiple static routes to gateway

When you do a ping 8.8.8.8 source 192.168.100.3 does that work? If the ping is successful then the 'Latest Operation Code' should say 'OK' if not then it should say 'Timeout'. The 'Unknown' has me a bit concerned, I will have to check what that means. I have not been able to work with a 3850 yet.

New Member

Multiple static routes to gateway

Got it to work!

Had to change the icmp-echo 8.8.8.8 source-ip 192.168.100.3 to 192.168.100.2 (interface of 3850.)

Thank you all for your assistance. Now i have 2 types of failover redundancy. One internal if inside interface of ASA goes down it will switch to secondary ASA and the other for external using ip sla.

Appreciate everyone’s assistance.

Multiple static routes to gateway

Oh right, did not realize that IP was not on the 3850, even though it was staring me right in the face with the default route. Good to know it is working now.

Re: Multiple static routes to gateway

Thanks for the feedback!

In the meantime I took a look in the c3850 command reference and saw that the IP SLA configuration has slightly changed (once more...).

But I was more concerned about the tracking config, it seems to be different in XE as well and I couldn't find the options I was looking for (tracking an IP SLA object). Could you please post that part of the config, this would be very interesting for me since we don't use that platform yet.

... already done;-)

Thanks!

Best regards

Rolf

1860
Views
0
Helpful
28
Replies
CreatePlease login to create content