Cisco ASA Dual ISP setup

This post describes and tests some configurations to support multiple ISP or WAN connections on an ASA running FOS9. Im using an ASA 5506X for this demo and my software version does not use the bridge-groups out of the box so all the ports are routed by default. Ima Laos using a couple of other Cisco routers in a simple network to test the connections.

To start with lets set up a standard Dual ISP setup which just relies on a floating static route.

Stage 1 – Set up the interfaces

interface GigabitEthernet1/1
 nameif ISP1
 security-level 0
 ip address 10.0.0.2 255.255.255.252 
!             
interface GigabitEthernet1/2
 nameif ISP2
 security-level 0
 ip address 10.1.1.2 255.255.255.252 

Stage 2 – Add the routes
We want ISP1 to be the primary and it to fall back to the secondary if it fails.

route ISP1 0.0.0.0 0.0.0.0 10.0.0.1 1 
route ISP2 0.0.0.0 0.0.0.0 10.1.1.1 200

A quick check of the routing table shows:

ciscoasa# sh route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 10.0.0.1 to network 0.0.0.0

S*       0.0.0.0 0.0.0.0 [1/0] via 10.0.0.1, ISP1
C        10.0.0.0 255.255.255.252 is directly connected, ISP1
L        10.0.0.2 255.255.255.255 is directly connected, ISP1
C        10.1.1.0 255.255.255.252 is directly connected, ISP2
L        10.1.1.2 255.255.255.255 is directly connected, ISP2

When I pull the cable out of the interface Gi1/1 (ISP1) and re-check:

ciscoasa# sh route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 10.1.1.1 to network 0.0.0.0

S*       0.0.0.0 0.0.0.0 [200/0] via 10.1.1.1, ISP2
C        10.1.1.0 255.255.255.252 is directly connected, ISP2
L        10.1.1.2 255.255.255.255 is directly connected, ISP2

So that all works…. however the design we need here means that it is VERY unlikely it will ever failover as the line protocol will always remain up as we will either uses. modem or another router as the gateway. A new option is needed here, using a tracking object.

The new topology is a bit different and uses an intermediate switch/router on ISP1 so we can monitor something that is not direly connected.

The first stage is create an SLA object:

sla monitor 1
 type echo protocol ipIcmpEcho 1.1.1.1 interface ISP1
sla monitor schedule 1 life forever start-time now

Im monitoring the loopmback interface on my ISP router – but that’s via an extra L3 hop on the switch. We can test it works with the following:

ciscoasa# show sla monitor configuration 
SA Agent, Infrastructure Engine-II
Entry number: 1
Owner: 
Tag: 
Type of operation to perform: echo
Target address: 1.1.1.1
Interface: ISP1
Number of packets: 1
Request size (ARR data portion): 28
Operation timeout (milliseconds): 5000
Type Of Service parameters: 0x0
Verify data: No
Operation frequency (seconds): 60
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Enhanced History:

ciscoasa# show sla monitor operational-state 
Entry number: 1
Modification time: 01:08:31.696 UTC Tue Oct 15 2019
Number of Octets Used by this Entry: 2056
Number of operations attempted: 3228
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: FALSE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): 1
Latest operation start time: 06:55:31.697 UTC Thu Oct 17 2019
Latest operation return code: OK
RTT Values:
RTTAvg: 1       RTTMin: 1       RTTMax: 1
NumOfRTT: 1     RTTSum: 1       RTTSum2: 1

One that’s all running we can attach it to a tracking object as follows:

track 1 rtr 1 reachability

which can be verified:

ciscoasa# sh track 
Track 1
  Response Time Reporter 1 reachability
  Reachability is Up
  6 changes, last change 00:37:56
  Latest operation return code: OK
  Latest RTT (millisecs) 1
  Tracked by:
    STATIC-IP-ROUTING 0

Now we can add the tracking object onto the default route.

route ISP1 0.0.0.0 0.0.0.0 10.0.0.1 1 track 1
route ISP2 0.0.0.0 0.0.0.0 10.1.1.1 200

So now we can check the routing table….

ciscoasa# show route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 10.0.0.1 to network 0.0.0.0

S*       0.0.0.0 0.0.0.0 [1/0] via 10.0.0.1, ISP1
C        10.0.0.0 255.255.255.0 is directly connected, ISP1
L        10.0.0.2 255.255.255.255 is directly connected, ISP1
C        10.1.1.0 255.255.255.252 is directly connected, ISP2
L        10.1.1.2 255.255.255.255 is directly connected, ISP2

I’ve now broken the network north of the directly connected router and south of 1.1.1.1

ciscoasa# show route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 10.1.1.1 to network 0.0.0.0

S*       0.0.0.0 0.0.0.0 [200/0] via 10.1.1.1, ISP2
C        10.0.0.0 255.255.255.0 is directly connected, ISP1
L        10.0.0.2 255.255.255.255 is directly connected, ISP1
C        10.1.1.0 255.255.255.252 is directly connected, ISP2
L        10.1.1.2 255.255.255.255 is directly connected, ISP2

ciscoasa# sh track
Track 1
  Response Time Reporter 1 reachability
  Reachability is Down
  7 changes, last change 00:00:17
  Latest operation return code: Timeout
  Tracked by:
    STATIC-IP-ROUTING 0

ciscoasa# sh sla monitor operational-state 1
Entry number: 1
Modification time: 01:08:31.701 UTC Tue Oct 15 2019
Number of Octets Used by this Entry: 2056
Number of operations attempted: 3239
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: TRUE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): NoConnection/Busy/Timeout
Latest operation start time: 07:06:31.702 UTC Thu Oct 17 2019
Latest operation return code: Timeout
RTT Values:
RTTAvg: 0       RTTMin: 0       RTTMax: 0
NumOfRTT: 0     RTTSum: 0       RTTSum2: 0

That failed over and now its plugged in and back to normal. Notice the ‘operational frequency of the SLA is 60 seconds so that could do woyj some tuning!

This entry was posted in Cisco and tagged , , , , . Bookmark the permalink.