Skip to content
Oct 12 / Greg

Cisco ASA IP SLA – Failover Routing

It seems like everytime I want to do something funky with an ASA, Cisco says “ASAs are not routers, use them what they are designed for.” This really doesn’t help me…heh. ASAs can’t do PBR(Policy Based Routing – aka route maps)…which would have been useful more than a few times. Back on topic, failover routing.

Route redundancy can be achieved locally using metrics on your routes, as you can in routers. What if you have a point to point link that takes several hops through a provider network, though? If the link dies in the provider, the local link stays up and your bad route stays in the route table…what does one do?

In steps IP SLA. This provides many functions including the ability to ping a remote host. So, we have one ASA ping the other ASA across the point to point link and if the ping fails, we drop the route across the P2P.

Here is a logical diagram of how it all works.

asa-ipsla
Bryan ASA:

1
2
3
4
5
6
7
8
9
10
11
12

!ip sla monitor 
sla monitor 1 
type echo protocol ipIcmpEcho 192.168.1.1 interface P2P 
num-packets 3 
frequency 10 
!timer for monitor 
sla monitor schedule 1 life forever start-time now 
!attach tracker to monitor 11 track 1 rtr 1 reachability 
!route with ip sla tracker 
route P2P 10.10.10.0 255.255.255.0 192.168.1.1 track 1 
!backup route with a metric of 254 
route outside 10.10.10.0 255.255.255.0 1.1.1.1 254

Dallas ASA:

1
2
3
4
5
6
7
8
9
10
11

!ip sla monitor 
sla monitor 1 
type echo protocol ipIcmpEcho 192.168.1.3 interface P2P 
num-packets 3 05  frequency 10 
!timer for monitor 08 sla monitor schedule 1 life forever start-time now 
!attach tracker to monitor 
track 1 rtr 1 reachability 
!route with ip sla tracker 
route P2P 10.20.20.0 255.255.255.0 192.168.1.3 track 1 
!backup route with a metric of 254 
route outside 10.20.20.0 255.255.255.0  2.2.2.2 254

So in the sample code you can see that our point to point link has the tracker attached. As long as the ping completes, this route is used. If the ping fails, the route with a metric of 254 is used.

In the above example you would need to configure IP SLA in Bryan and in Dallas. This way they will both switch between the P2P and the Internet at the same time. Though, even if one lags behind in switch to the Internet connection, the tunnel will go ahead and establish since one side is attempting the connection.

Filed under Cisco, Cisco ASA, Networking

One Comment

leave a comment
  1. Eric / Nov 24 2010

    Thanks, however there is a problem with Bryan ASA example. Looks like line 9 got merged with line 8.

Leave a Comment

 

CAPTCHA

*