Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Dual ISP on ASA 5505 Base license, ver 8.4(4)

Dear All,

I have configured then tested a ASA 5505 with Base License and ver 8.4(2) in Lab environment, and all seems works well.

So in the Lab when I stop the communication with the tracked object, the SLA Monitor configured in the ASA changes from the primary link connected to the ISP1 to the secondary link ISP2. Finally when I re-start the communication with the tracked object the active ISP is changed again on ISP1.

After the Lab I goes live with the same configuration the same Base license, but with different IOS 8.4(4), I got a different behavior. I can not reach the interface but I can reach, so I connect on the serial link using OOB modem. I check the routing table, and I see that the default route about ISP1 is not present in the table even if it is in the config, there is a default route on the table but about the ISP2.

It seems that the sla monitor has changed the on the ISP2 even if the tracked object is reachable, infact if I add again the default route about ISP1 then I can ping the

Why the SLA Monitor works in this way?

Follow the Asa 5055 config:

sh runn

: Saved


ASA Version 8.4(2)


hostname aaaa




interface Ethernet0/0

switchport access vlan 100


interface Ethernet0/1

switchport access vlan 2

speed 100

duplex full


interface Ethernet0/2



interface Ethernet0/3



interface Ethernet0/4

<--- More --->



interface Ethernet0/5



interface Ethernet0/6



interface Ethernet0/7

switchport access vlan 110


interface Vlan1


no nameif

no security-level

no ip address


interface Vlan2

nameif inside

security-level 100

ip address


interface Vlan100

nameif outside

<--- More --->

security-level 0

ip address


interface Vlan110

no forward interface Vlan100

nameif backup_out

security-level 0

ip address


ftp mode passive

dns server-group DefaultDNS


object-group network NETWORK_OBJ_172.20.0.0_22


access-list outside_1_cryptomap extended permit ip

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu backup_out 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_22 NETWORK_OBJ_192.168.100.0_22 destination static NETWORK_OBJ_172.20.0.0_22 NETWORK_OBJ_172.20.0.0_22

route outside 1 track 1

route backup_out 200

route inside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

sla monitor 1

type echo protocol ipIcmpEcho interface outside

timeout 2

frequency 3

sla monitor schedule 1 life forever start-time now

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3des-SHA esp-3des esp-sha-hmac

crypto map ouside_map 1 match address outside_1_cryptomap

crypto map ouside_map 1 set pfs group5

crypto map ouside_map 1 set peer

crypto map ouside_map 1 set ikev1 transform-set ESP-3des-SHA

crypto map ouside_map interface outside

crypto map ouside_map interface backup_out

no crypto isakmp nat-traversal

crypto ikev1 enable outside

crypto ikev1 enable backup_out

crypto ikev1 policy 10

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

crypto ikev1 policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400


track 1 rtr 1 reachability

telnet timeout 5

ssh timeout 30

console timeout 0

management-access inside

dhcpd auto_config inside


threat-detection basic-threat

<--- More --->

threat-detection statistics access-list

no threat-detection statistics tcp-intercept


username fabrizio password 5ztInRySM8E.ym/Q encrypted

tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

ikev1 pre-shared-key *****


class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

<--- More --->

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp


service-policy global_policy global

prompt hostname context

no call-home reporting anonymous


profile CiscoTAC-1

  no active

  destination address http

  destination address email

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

<--- More --->

  subscribe-to-alert-group telemetry periodic daily


: end

Everyone's tags (3)
CreatePlease login to create content