Cisco ASA with PPPOE failover line

As we have documented previously, failover on the ASA is not a difficult configuration, just add a tracking object to the primary route and modify the metric of the secondary route. The snarly bit about getting a pope based failover on the ASA is to increase the metric of the secondary route as it is sent from the pope server and there is no ‘route’ stamens in the config to adjust.
This is a brief post on how to set this up…

Set up the interfaces – note the ‘pppoe client route distance 10’ line!

interface GigabitEthernet1/1
 nameif OUTSIDE
 security-level 0
 ip address 10.10.10.2 255.255.255.0

interface GigabitEthernet1/2
 nameif BACKUP
 security-level 0
 pppoe client vpdn group MY_GROUP
 pppoe client route distance 10
 ip address pppoe setroute 

Now the SLA and tracking object

sla monitor 1
 type echo protocol ipIcmpEcho 11.11.11.11 interface OUTSIDE
 frequency 5
sla monitor schedule 1 life forever start-time now

track 1 rtr 1 reachability

Then just add the primary route in manually

route OUTSIDE 0.0.0.0 0.0.0.0 10.10.10.1 1 track 1

Lets check the routing table with both lines up and running:

ADTEST# show route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 10.10.10.1 to network 0.0.0.0

S*       0.0.0.0 0.0.0.0 [1/0] via 10.10.10.1, OUTSIDE
C        10.10.10.0 255.255.255.0 is directly connected, OUTSIDE
L        10.10.10.2 255.255.255.255 is directly connected, OUTSIDE
C        192.168.222.0 255.255.255.0 is directly connected, INSIDE
L        192.168.222.1 255.255.255.255 is directly connected, INSIDE

After we pull the plug on the primary line

ADTEST# sh route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 1.2.3.4 to network 0.0.0.0

S*       0.0.0.0 0.0.0.0 [10/0] via 1.2.3.4, BACKUP
C        192.168.222.0 255.255.255.0 is directly connected, INSIDE
L        192.168.222.1 255.255.255.255 is directly connected, INSIDE

The default route has changed to the backup line. Its not really 1.2.3.4 of course its the gateway of the ISP LNS.

Notes
If you try to use both routes with the same distance, then the second route will not be added to the table. In our case this willceratinly be the BACKUP route not being added in as the PPPOE process takes time upon boot.

This entry was posted in Cisco and tagged , , , , . Bookmark the permalink.