At its core, IEEE 802.1X is a network layer... Full Story
By Manny Fernandez
May 22, 2020
Cisco ASA Internet Failover
It has been a while that I work on ASAs in a meaningful way. Today I was helping out a family member with an ASA and we were troubleshooting a WAN link on the ASA that was down. We had configured SLA to track and IP on the Internet. If you track the default gateway, you run the risk of the carrier not having access to the Internet due to a cable cut or similar. In that case, the local router/firewall would be able to ping the next hop and wrongfully assume that it was up when in reality it was not. I usually choose public IPs such as 4.2.2.2 and 8.8.8.8.
Here is the basic configuration of the IP addresses assigned to the various interfaces.
Interface Configuration
! interface GigabitEthernet0/0 nameif outside security-level 0 ip address 171.56.30.194 255.255.255.224 standby 171.56.30.195 ! interface GigabitEthernet0/4 nameif backup security-level 0 ip address 14.34.171.130 255.255.255.192 standby 14.34.171.131 !
These IP addresses are fake to protect the innocent.
What we want to do here is ping 4.2.2.2 from the outside interface. We will continue to ping from the outside interface. Without specifying the interface, the ASA would use the second link and THAT ping would in fact be successful causing the route to flap back and forth.
SLA
sla monitor 111 type echo protocol ipIcmpEcho 4.2.2.2 interface outside num-packets 3 frequency 10 !
So above you can see we created an sla monitor and we are going to give it an identifier of 111.
Next we are going to use ipIcmpEcho or ping, to ping 4.2.2.2 sourced from the outside interface. You can see the num-packets . Below we will discuss the options available to you when you configure the SLA.
default Set a command to its defaults
exit Exit probe configuration
frequency Frequency of an operation
<1-604800> Frequency in seconds
no Negate a command or set its defaults
num-packets Number of Packets
<1-100> Number of Packets to be transmitted
request-data-size Request data size
<0-16384> Number of bytes in payload
threshold Operation threshold in milliseconds
<0-2147483647> Millisecond threshold value
timeout Timeout of an operation
conn Configure idle time after which a TCP connection state
will be closed, default is 1:00:00
conn-holddown Connection Holddown timer to retain the routes till
the timer expires, default is 0:0:15
floating-conn Configure time after which connections using the
backup route will be closed once lower metric route
becomes available, default is 0:0:0
h225 Configure idle time after which an H.225 signaling
conn will be closed, default is 1:00:00
h323 Configure idle time after which an H.323 control
connection will be closed, default is 0:05:00
half-closed Configure idle time after which a TCP half-closed
connection will be freed, default is 0:10:00
icmp Configure idle timeout for ICMP, default is 0:00:02
mgcp Configure idle time after which an MGCP media
connection will be closed, default is 0:05:00
mgcp-pat Configure the time after which an MGCP PAT Xlate will
be removed, default is 0:05:00
pat-xlate Configure idle time after which a dynamic port will be
returned to the free PAT pool, default is 0:00:30
sctp Configure idle time after which a SCTP connection
state will be closed, default is 0:02:00
sip Configure idle time after which a SIP control
connection will be closed, default is 0:30:00
sip-disconnect Configure idle timeout after which SIP session is
deleted if 200 OK is not received for a CANCEL or BYE
message, default s 0:02:00
sip-invite Configure idle time after which pinholes for
PROVISIONAL responsesand media xlates will be closed,
default is 0:03:00
sip-provisional-media Configure idle time after which a SIP provisional
Media connection will be closed, default is 0:02:00
sip_media Configure idle time after which a SIP Media connection
will be closed, default is 0:02:00
sunrpc Configure idle time after which a SUNRPC slot will be
closed, default is 0:10:00
tcp-proxy-reassembly Configure idle timeout after which buffered packets
waiting for reassembly in tcp-proxy are dropped,
default is 0:01:00
uauth Configure idle time after which an authentication will
no longer be cached and the user will need to
re-authenticate on their connection, default is
0:05:00. The default uauth timer is absolute.
udp Configure idle time after which general UDP states
will be closed, default is 0:02:00, This timer does
not apply to DNS or SUNRPC
xlate Configure idle time after which a dynamic address will
be returned to the free pool, default is 3:00:00
tos Type Of Service
<0-255> Type of Service Value
Now we are going to create a track statement that will use the sla monitor we created above. The track will be used in our routing as well. We are going to track based on the reachability of SLA111
track 1 rtr 111 reachability
Now we are going to start the SLA
sla monitor schedule 111 life forever start-time now
In the above command, we are saying we want to start the 111 monitor now and we are going to run it forever
Routing
Next we are going to create our routes
route outside 0.0.0.0 0.0.0.0 171.56.30.222 1 track 1 route backup 0.0.0.0 0.0.0.0 14.34.171.158 254
So I have two default gateways however one is weighted with 254 while the other is the standard route but has a track 1 at the end.
What the track 1 means is, as long as the track is true or UP, this route will be in the RIB of the ASA. If track1 is false or down, then this route is removed from the RIB and the only route left is the weighted route.
NAT
You will want to make sure that you have a nat statement for both interfaces going out or you will be unable to browse when the backup interface is the current default gateway.
nat (inside,outside) source dynamic any interface nat (inside,backup) source dynamic any interface
Validating
asa/act/pri# show track 1
Track 1
Response Time Reporter 111 reachability
Reachability is Down
19 changes, last change 01:34:25
Latest operation return code: Timeout
Tracked by:
STATIC-IP-ROUTING 0
By issuing the show track 1 where 1 should be replaced with whatever track number you used in your configuration. We can see that the state of the track is Down which would indicate that the backup route is the valid route.
asa-01/act/pri# sh track 1
Track 1
Response Time Reporter 111 reachability
Reachability is Up
20 changes, last change 01:23:45
Latest operation return code: OK
Latest RTT (millisecs) 10
Tracked by:
STATIC-IP-ROUTING 0
Once the track changes to Up the route is switched to the outside interface.
Another important step is to ensure that you have the allowed host to SSH to this box configured for both interfaces
ssh 12.1.1.2 255.255.255.255 outside ssh 12.1.1.2 255.255.255.255 backup
SLA is a very powerful feature. I have also used SLA to track an MPLS connection of a partner and based on its reachability, advertise a static route into either OSPF or EIGRP. I will write an entire article on it. Stay tuned.
Hope this helps.
Recent posts
-
-
In case you did not see the previous FortiNAC... Full Story
-
This is our 5th session where we are going... Full Story
-
Now that we have Wireshark installed and somewhat configured,... Full Story
-
The Philosophy of Packet Analysis Troubleshooting isn't about looking... Full Story