Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Dual ISP on ASA 5505 Base license, ver 8.4(4)

Dear All,

I have configured then tested a ASA 5505 with Base License and ver 8.4(2) in Lab environment, and all seems works well.

So in the Lab when I stop the communication with the tracked object 8.8.8.8, the SLA Monitor configured in the ASA changes from the primary link connected to the ISP1 to the secondary link ISP2. Finally when I re-start the communication with the tracked object the active ISP is changed again on ISP1.

After the Lab I goes live with the same configuration the same Base license, but with different IOS 8.4(4), I got a different behavior. I can not reach the interface  82.19.63.190/30 but I can reach 82.19.63.189, so I connect on the serial link using OOB modem. I check the routing table, and I see that the default route about ISP1 is not present in the table even if it is in the config, there is a default route on the table but about the ISP2.

It seems that the sla monitor has changed the on the ISP2 even if the tracked object 8.8.8.8 is reachable, infact if I add again the default route about ISP1 then I can ping the 8.8.8.8...

Why the SLA Monitor works in this way?

Follow the Asa 5055 config:

sh runn

: Saved

:

ASA Version 8.4(2)

!

hostname aaaa

domain-name i.com

names

!

interface Ethernet0/0

switchport access vlan 100

!

interface Ethernet0/1

switchport access vlan 2

speed 100

duplex full

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

<--- More --->

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

switchport access vlan 110

!

interface Vlan1

shutdown

no nameif

no security-level

no ip address

!

interface Vlan2

nameif inside

security-level 100

ip address 192.168.100.6 255.255.255.192

!

interface Vlan100

nameif outside

<--- More --->

security-level 0

ip address 82.19.63.190 255.255.255.252

!

interface Vlan110

no forward interface Vlan100

nameif backup_out

security-level 0

ip address 10.10.10.10 255.255.255.224

!

ftp mode passive

dns server-group DefaultDNS

domain-name intranet.denso-ts.it

object-group network NETWORK_OBJ_172.20.0.0_22

network-object 172.20.0.0 255.255.252.0

access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.252.0 172.20.0.0 255.255.252.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu backup_out 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_22 NETWORK_OBJ_192.168.100.0_22 destination static NETWORK_OBJ_172.20.0.0_22 NETWORK_OBJ_172.20.0.0_22

route outside 0.0.0.0 0.0.0.0 82.19.63.189 1 track 1

route backup_out 0.0.0.0 0.0.0.0 10.10.10.11 200

route inside 192.168.100.64 255.255.255.192 172.26.100.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http 192.168.100.12 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

sla monitor 1

type echo protocol ipIcmpEcho 8.8.8.8 interface outside

timeout 2

frequency 3

sla monitor schedule 1 life forever start-time now

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3des-SHA esp-3des esp-sha-hmac

crypto map ouside_map 1 match address outside_1_cryptomap

crypto map ouside_map 1 set pfs group5

crypto map ouside_map 1 set peer 47.8.7.67

crypto map ouside_map 1 set ikev1 transform-set ESP-3des-SHA

crypto map ouside_map interface outside

crypto map ouside_map interface backup_out

no crypto isakmp nat-traversal

crypto ikev1 enable outside

crypto ikev1 enable backup_out

crypto ikev1 policy 10

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

crypto ikev1 policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

track 1 rtr 1 reachability

telnet timeout 5

ssh timeout 30

console timeout 0

management-access inside

dhcpd auto_config inside

!

threat-detection basic-threat

<--- More --->

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username fabrizio password 5ztInRySM8E.ym/Q encrypted

tunnel-group 47.8.7.67 type ipsec-l2l

tunnel-group 47.8.7.67 ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

<--- More --->

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

<--- More --->

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:a7dbcaefbef742e4e19766de630ba790

: end

Everyone's tags (3)
1672
Views
0
Helpful
0
Replies
CreatePlease login to create content