As we have documented previously, failover on the ASA is not a difficult configuration, just add a tracking object to the primary route and modify the metric of the secondary route. The snarly bit about getting a pope based failover on the ASA is to increase the metric of the secondary route as it is sent from the pope server and there is no ‘route’ stamens in the config to adjust.
This is a brief post on how to set this up…
Set up the interfaces – note the ‘pppoe client route distance 10’ line!
interface GigabitEthernet1/1 nameif OUTSIDE security-level 0 ip address 10.10.10.2 255.255.255.0 interface GigabitEthernet1/2 nameif BACKUP security-level 0 pppoe client vpdn group MY_GROUP pppoe client route distance 10 ip address pppoe setroute
Now the SLA and tracking object
sla monitor 1 type echo protocol ipIcmpEcho 11.11.11.11 interface OUTSIDE frequency 5 sla monitor schedule 1 life forever start-time now track 1 rtr 1 reachability
Then just add the primary route in manually
route OUTSIDE 0.0.0.0 0.0.0.0 10.10.10.1 1 track 1
Lets check the routing table with both lines up and running:
ADTEST# show route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, + - replicated route Gateway of last resort is 10.10.10.1 to network 0.0.0.0 S* 0.0.0.0 0.0.0.0 [1/0] via 10.10.10.1, OUTSIDE C 10.10.10.0 255.255.255.0 is directly connected, OUTSIDE L 10.10.10.2 255.255.255.255 is directly connected, OUTSIDE C 192.168.222.0 255.255.255.0 is directly connected, INSIDE L 192.168.222.1 255.255.255.255 is directly connected, INSIDE
After we pull the plug on the primary line
ADTEST# sh route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, + - replicated route Gateway of last resort is 1.2.3.4 to network 0.0.0.0 S* 0.0.0.0 0.0.0.0 [10/0] via 1.2.3.4, BACKUP C 192.168.222.0 255.255.255.0 is directly connected, INSIDE L 192.168.222.1 255.255.255.255 is directly connected, INSIDE
The default route has changed to the backup line. Its not really 1.2.3.4 of course its the gateway of the ISP LNS.
Notes
If you try to use both routes with the same distance, then the second route will not be added to the table. In our case this willceratinly be the BACKUP route not being added in as the PPPOE process takes time upon boot.