This post describes and tests some configurations to support multiple ISP or WAN connections on an ASA running FOS9. Im using an ASA 5506X for this demo and my software version does not use the bridge-groups out of the box so all the ports are routed by default. Ima Laos using a couple of other Cisco routers in a simple network to test the connections.
To start with lets set up a standard Dual ISP setup which just relies on a floating static route.
Stage 1 – Set up the interfaces
interface GigabitEthernet1/1 nameif ISP1 security-level 0 ip address 10.0.0.2 255.255.255.252 ! interface GigabitEthernet1/2 nameif ISP2 security-level 0 ip address 10.1.1.2 255.255.255.252
Stage 2 – Add the routes
We want ISP1 to be the primary and it to fall back to the secondary if it fails.
route ISP1 0.0.0.0 0.0.0.0 10.0.0.1 1 route ISP2 0.0.0.0 0.0.0.0 10.1.1.1 200
A quick check of the routing table shows:
ciscoasa# sh route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, + - replicated route Gateway of last resort is 10.0.0.1 to network 0.0.0.0 S* 0.0.0.0 0.0.0.0 [1/0] via 10.0.0.1, ISP1 C 10.0.0.0 255.255.255.252 is directly connected, ISP1 L 10.0.0.2 255.255.255.255 is directly connected, ISP1 C 10.1.1.0 255.255.255.252 is directly connected, ISP2 L 10.1.1.2 255.255.255.255 is directly connected, ISP2
When I pull the cable out of the interface Gi1/1 (ISP1) and re-check:
ciscoasa# sh route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, + - replicated route Gateway of last resort is 10.1.1.1 to network 0.0.0.0 S* 0.0.0.0 0.0.0.0 [200/0] via 10.1.1.1, ISP2 C 10.1.1.0 255.255.255.252 is directly connected, ISP2 L 10.1.1.2 255.255.255.255 is directly connected, ISP2
So that all works…. however the design we need here means that it is VERY unlikely it will ever failover as the line protocol will always remain up as we will either uses. modem or another router as the gateway. A new option is needed here, using a tracking object.
The new topology is a bit different and uses an intermediate switch/router on ISP1 so we can monitor something that is not direly connected.
The first stage is create an SLA object:
sla monitor 1 type echo protocol ipIcmpEcho 1.1.1.1 interface ISP1 sla monitor schedule 1 life forever start-time now
Im monitoring the loopmback interface on my ISP router – but that’s via an extra L3 hop on the switch. We can test it works with the following:
ciscoasa# show sla monitor configuration SA Agent, Infrastructure Engine-II Entry number: 1 Owner: Tag: Type of operation to perform: echo Target address: 1.1.1.1 Interface: ISP1 Number of packets: 1 Request size (ARR data portion): 28 Operation timeout (milliseconds): 5000 Type Of Service parameters: 0x0 Verify data: No Operation frequency (seconds): 60 Next Scheduled Start Time: Start Time already passed Group Scheduled : FALSE Life (seconds): Forever Entry Ageout (seconds): never Recurring (Starting Everyday): FALSE Status of entry (SNMP RowStatus): Active Enhanced History: ciscoasa# show sla monitor operational-state Entry number: 1 Modification time: 01:08:31.696 UTC Tue Oct 15 2019 Number of Octets Used by this Entry: 2056 Number of operations attempted: 3228 Number of operations skipped: 0 Current seconds left in Life: Forever Operational state of entry: Active Last time this entry was reset: Never Connection loss occurred: FALSE Timeout occurred: FALSE Over thresholds occurred: FALSE Latest RTT (milliseconds): 1 Latest operation start time: 06:55:31.697 UTC Thu Oct 17 2019 Latest operation return code: OK RTT Values: RTTAvg: 1 RTTMin: 1 RTTMax: 1 NumOfRTT: 1 RTTSum: 1 RTTSum2: 1
One that’s all running we can attach it to a tracking object as follows:
track 1 rtr 1 reachability
which can be verified:
ciscoasa# sh track Track 1 Response Time Reporter 1 reachability Reachability is Up 6 changes, last change 00:37:56 Latest operation return code: OK Latest RTT (millisecs) 1 Tracked by: STATIC-IP-ROUTING 0
Now we can add the tracking object onto the default route.
route ISP1 0.0.0.0 0.0.0.0 10.0.0.1 1 track 1 route ISP2 0.0.0.0 0.0.0.0 10.1.1.1 200
So now we can check the routing table….
ciscoasa# show route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, + - replicated route Gateway of last resort is 10.0.0.1 to network 0.0.0.0 S* 0.0.0.0 0.0.0.0 [1/0] via 10.0.0.1, ISP1 C 10.0.0.0 255.255.255.0 is directly connected, ISP1 L 10.0.0.2 255.255.255.255 is directly connected, ISP1 C 10.1.1.0 255.255.255.252 is directly connected, ISP2 L 10.1.1.2 255.255.255.255 is directly connected, ISP2
I’ve now broken the network north of the directly connected router and south of 1.1.1.1
ciscoasa# show route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, + - replicated route Gateway of last resort is 10.1.1.1 to network 0.0.0.0 S* 0.0.0.0 0.0.0.0 [200/0] via 10.1.1.1, ISP2 C 10.0.0.0 255.255.255.0 is directly connected, ISP1 L 10.0.0.2 255.255.255.255 is directly connected, ISP1 C 10.1.1.0 255.255.255.252 is directly connected, ISP2 L 10.1.1.2 255.255.255.255 is directly connected, ISP2 ciscoasa# sh track Track 1 Response Time Reporter 1 reachability Reachability is Down 7 changes, last change 00:00:17 Latest operation return code: Timeout Tracked by: STATIC-IP-ROUTING 0 ciscoasa# sh sla monitor operational-state 1 Entry number: 1 Modification time: 01:08:31.701 UTC Tue Oct 15 2019 Number of Octets Used by this Entry: 2056 Number of operations attempted: 3239 Number of operations skipped: 0 Current seconds left in Life: Forever Operational state of entry: Active Last time this entry was reset: Never Connection loss occurred: FALSE Timeout occurred: TRUE Over thresholds occurred: FALSE Latest RTT (milliseconds): NoConnection/Busy/Timeout Latest operation start time: 07:06:31.702 UTC Thu Oct 17 2019 Latest operation return code: Timeout RTT Values: RTTAvg: 0 RTTMin: 0 RTTMax: 0 NumOfRTT: 0 RTTSum: 0 RTTSum2: 0
That failed over and now its plugged in and back to normal. Notice the ‘operational frequency of the SLA is 60 seconds so that could do woyj some tuning!