Cisco ASA Internet Failover

It has been a while that I work on ASAs in a meaningful way.  Today I was helping out a family member with an ASA and we were troubleshooting a WAN link on the ASA that was down.  We had configured SLA to track and IP on the Internet.  If you track the default gateway, you run the risk of the carrier not having access to the Internet due to a cable cut or similar.  In that case, the local router/firewall would be able to ping the next hop and wrongfully assume that it was up when in reality it was not.  I usually choose public IPs such as 4.2.2.2 and 8.8.8.8.

Here is the basic configuration of the IP addresses assigned to the various interfaces.

Interface Configuration

!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 171.56.30.194 255.255.255.224 standby 171.56.30.195 
!
interface GigabitEthernet0/4
nameif backup
security-level 0
ip address 14.34.171.130 255.255.255.192 standby 14.34.171.131 
!

These IP addresses are fake to protect the innocent.

What we want to do here is ping 4.2.2.2 from the outside interface.  We will continue to ping from the outside interface.  Without specifying the interface, the ASA would use the second link and THAT ping would in fact be successful causing the route to flap back and forth.

SLA

sla monitor 111
type echo protocol ipIcmpEcho 4.2.2.2 interface outside
num-packets 3
frequency 10
!

So above you can see we created an sla monitor and we are going to give it an identifier of 111.

Next we are going to use ipIcmpEcho or ping, to ping 4.2.2.2 sourced from the outside interface. You can see the num-packets .  Below we will discuss the options available to you when you configure the SLA.

default Set a command to its defaults
exit Exit probe configuration
frequency Frequency of an operation
    <1-604800> Frequency in seconds
no Negate a command or set its defaults
num-packets Number of Packets
    <1-100> Number of Packets to be transmitted
request-data-size Request data size
    <0-16384> Number of bytes in payload
threshold Operation threshold in milliseconds
    <0-2147483647> Millisecond threshold value
timeout Timeout of an operation
  conn                   Configure idle time after which a TCP connection state
                         will be closed, default is 1:00:00
  conn-holddown          Connection Holddown timer to retain the routes till
                         the  timer expires, default is 0:0:15
  floating-conn          Configure time after which connections using the
                         backup route will be closed once lower metric route
                         becomes available, default is 0:0:0
  h225                   Configure idle time after which an H.225 signaling
                         conn will be closed, default is 1:00:00
  h323                   Configure idle time after which an H.323 control
                         connection will be closed, default is 0:05:00
  half-closed            Configure idle time after which a TCP half-closed
                         connection will be freed, default is 0:10:00
  icmp                   Configure idle timeout for ICMP, default is 0:00:02
  mgcp                   Configure idle time after which an MGCP media
                         connection will be closed, default is 0:05:00
  mgcp-pat               Configure the time after which an MGCP PAT Xlate will
                         be removed, default is 0:05:00
  pat-xlate              Configure idle time after which a dynamic port will be
                         returned to the free PAT pool, default is 0:00:30
  sctp                   Configure idle time after which a SCTP connection
                         state will be closed, default is 0:02:00
  sip                    Configure idle time after which a SIP control
                         connection will be closed, default is 0:30:00
  sip-disconnect         Configure idle timeout after which SIP session is
                         deleted if 200 OK is not received for a CANCEL or BYE
                         message, default s 0:02:00
  sip-invite             Configure idle time after which pinholes for
                         PROVISIONAL responsesand media xlates will be closed,
                         default is 0:03:00
  sip-provisional-media  Configure idle time after which a SIP provisional
                         Media connection will be closed, default is 0:02:00
  sip_media              Configure idle time after which a SIP Media connection
                         will be closed, default is 0:02:00
  sunrpc                 Configure idle time after which a SUNRPC slot will be
                         closed, default is 0:10:00
  tcp-proxy-reassembly   Configure idle timeout after which buffered packets
                         waiting for reassembly in tcp-proxy are dropped,
                         default is 0:01:00
  uauth                  Configure idle time after which an authentication will
                         no longer be cached and the user will need to
                         re-authenticate on their connection, default is
                         0:05:00. The default uauth timer is absolute.
  udp                    Configure idle time after which general UDP states
                         will be closed, default is 0:02:00, This timer does
                         not apply to DNS or SUNRPC
  xlate                  Configure idle time after which a dynamic address will
                         be returned to the free pool, default is 3:00:00
tos Type Of Service
    <0-255> Type of Service Value

 

Now we are going to create a track statement that will use the sla monitor we created above.  The track will be used in our routing as well. We are going to track based on the reachability of SLA111

track 1 rtr 111 reachability

Now we are going to start the SLA

sla monitor schedule 111 life forever start-time now

In the above command, we are saying we want to start the 111 monitor now  and we are going to run it forever

Routing

Next we are going to create our routes

route outside 0.0.0.0 0.0.0.0 171.56.30.222 1 track 1
route backup 0.0.0.0 0.0.0.0 14.34.171.158 254

So I have two default gateways however one is weighted with 254 while the other is the standard route but has a track 1 at the end.

What the track 1 means is, as long as the track is true or UP, this route will be in the RIB of the ASA.  If track1 is false or down, then this route is removed from the RIB and the only route left is the weighted route.

NAT

You will want to make sure that you have a nat statement for both interfaces going out or you will be unable to browse when the backup interface is the current default gateway.

nat (inside,outside) source dynamic any interface
nat (inside,backup) source dynamic any interface

Validating

asa/act/pri# show track 1
Track 1
Response Time Reporter 111 reachability
Reachability is Down
19 changes, last change 01:34:25
Latest operation return code: Timeout
Tracked by:
STATIC-IP-ROUTING 0

By issuing the show track 1 where 1 should be replaced with whatever track number you used in your configuration.  We can see that the state of the track is Down which would indicate that the backup route is the valid route.

asa-01/act/pri# sh track 1
Track 1
Response Time Reporter 111 reachability
Reachability is Up
20 changes, last change 01:23:45
Latest operation return code: OK
Latest RTT (millisecs) 10
Tracked by:
STATIC-IP-ROUTING 0

Once the track changes to Up the route is switched to the outside interface.

Another important step is to ensure that you have the allowed host to SSH to this box configured for both interfaces

ssh 12.1.1.2 255.255.255.255 outside
ssh 12.1.1.2 255.255.255.255 backup

SLA is a very powerful feature.  I have also used SLA to track an MPLS connection of a partner and based on its reachability, advertise a static route into either OSPF or EIGRP.  I will write an entire article on it.  Stay tuned.

Hope this helps.