A problem with static routes is that no inherent mechanism exists to determine if the route is up or down. The route remains in the routing table even if the next hop gateway becomes unavailable. Static routes are removed from the routing table only if the associated interface on the security appliance goes down. In order to solve this problem, a static route tracking feature is used to track the availability of a static route and, if that route fails, remove it from the routing table and replace it with a backup route.
This document provides an example of how to use the static route tracking feature on the PIX 500 Series Security Appliance or the ASA 5500 Series Adaptive Security Appliance in order to enable the device to use redundant or backup Internet connections. In this example, static route tracking allows the security appliance to use an inexpensive connection to a secondary Internet service provider (ISP) in the event that the primary leased line becomes unavailable.
In order to achieve this redundancy, the security appliance associates a static route with a monitoring target that you define. The service level agreement (SLA) operation monitors the target with periodic Internet Control Message Protocol (ICMP) echo requests. If an echo reply is not received, the object is considered down, and the associated route is removed from the routing table. A previously configured backup route is used in place of the route that is removed. While the backup route is in use, the SLA monitor operation continues to try to reach the monitoring target. Once the target is available again, the first route is replaced in the routing table, and the backup route is removed.
Note: The configuration described in this document can not be used for load balancing or load sharing as it is not supported on ASA/PIX . Use this configuration for redundancy or backup purposes only. Outgoing traffic uses the primary ISP and then the secondary ISP, if the primary fails. Failure of the primary ISP causes a temporary disruption of traffic.
Choose a monitoring target that can respond to ICMP echo requests. The target can be any network object that you choose, but a target that is closely tied to your ISP connection is recommended. Some possible monitoring targets include:
The ISP gateway address
Another ISP-managed address
A server on another network, such as a AAA server, with which the security appliance needs to communicate
A persistent network object on another network (a desktop or notebook computer that you can shut down at night is not a good choice)
This document assumes that the security appliance is fully operational and configured to allow the Cisco ASDM to make configuration changes.
Note: For information about how to allow the ASDM to configure the device, refer to Allowing HTTPS Access for ASDM.
The information in this document is based on these software and hardware versions:
Cisco PIX Security Appliance 515E with software version 7.2(1) or later
Cisco Adaptive Security Device Manager 5.2(1) or later
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
You can also use this configuration with the Cisco ASA 5500 Series Security Appliance version 7.2(1).
Note: The backup interface command is required to configure the fourth interface on the ASA 5505. Refer to backup interface for more information.
For more information about document conventions, refer to the Cisco Technical Tips Conventions.
In this example, the security appliance maintains two connections to the Internet. The first connection is a high speed leased line that is accessed through a router provided by the primary ISP. The second connection is a lower speed digital subscriber line (DSL) line that is accessed through a DSL modem provided by the secondary ISP.
Note: Load balancing does not occur in this example.
The DSL connection is idle as long as the leased line is active and the primary ISP gateway is reachable. However, if the connection to the primary ISP goes down, the security appliance changes the routing table to direct traffic to the DSL connection. Static route tracking is used to achieve this redundancy.
The security appliance is configured with a static route that directs all Internet traffic to the primary ISP. Every 10 seconds the SLA monitor process checks to confirm that the primary ISP gateway is reachable. If the SLA monitor process determines that the primary ISP gateway is not reachable, the static route that directs traffic to that interface is removed from the routing table. In order to replace that static route, an alternate static route that directs traffic to the secondary ISP is installed. This alternate static route directs traffic to the secondary ISP through the DSL modem until the link to the primary ISP is reachable.
This configuration provides a relatively inexpensive way to ensure that outbound Internet access remains available to users behind the security appliance. As described in this document, this setup may not be suitable for inbound access to resources behind the security appliance. Advanced networking skills are required to achieve seamless inbound connections. These skills are not covered in this document.
In this section, you are presented with the information to configure the features described in this document.
Note: The IP addresses used in this configuration are not legally routable on the Internet. They are RFC 1918 addresses which are used in a lab environment.
This document uses this network setup:
This document uses these configurations:
Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section.
PIX |
---|
pix# show running-config : Saved : PIX Version 7.2(1) ! hostname pix domain-name default.domain.invalid enable password 9jNfZuG3TC5tCVH0 encrypted names ! interface Ethernet0 nameif outside security-level 0 ip address 10.200.159.2 255.255.255.248 ! interface Ethernet1 nameif backup !--- The interface attached to the Secondary ISP. !--- "backup" was chosen here, but any name can be assigned. security-level 0 ip address 10.250.250.2 255.255.255.248 ! interface Ethernet2 nameif inside security-level 100 ip address 172.22.1.163 255.255.255.0 ! interface Ethernet3 shutdown no nameif no security-level no ip address ! interface Ethernet4 shutdown no nameif no security-level no ip address ! interface Ethernet5 shutdown no nameif no security-level no ip address ! passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive dns server-group DefaultDNS domain-name default.domain.invalid pager lines 24 logging enable logging buffered debugging mtu outside 1500 mtu backup 1500 mtu inside 1500 no failover asdm image flash:/asdm521.bin no asdm history enable arp timeout 14400 global (outside) 1 interface global (backup) 1 interface nat (inside) 1 172.16.1.0 255.255.255.0 !--- NAT Configuration for Outside and Backup route outside 0.0.0.0 0.0.0.0 10.200.159.1 1 track 1 !--- Enter this command in order to track a static route. !--- This is the static route to be installed in the routing !--- table while the tracked object is reachable. The value after !--- the keyword "track" is a tracking ID you specify. route backup 0.0.0.0 0.0.0.0 10.250.250.1 254 !--- Define the backup route to use when the tracked object is unavailable. !--- The administrative distance of the backup route must be greater than !--- the administrative distance of the tracked route. !--- If the primary gateway is unreachable, that route is removed !--- and the backup route is installed in the routing table !--- instead of the tracked route. timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute username cisco password ffIRPGpDSOJh9YLq encrypted http server enable http 172.22.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart sla monitor 123 type echo protocol ipIcmpEcho 10.0.0.1 interface outside num-packets 3 frequency 10 !--- Configure a new monitoring process with the ID 123. Specify the !--- monitoring protocol and the target network object whose availability the tracking !--- process monitors. Specify the number of packets to be sent with each poll. !--- Specify the rate at which the monitor process repeats (in seconds). sla monitor schedule 123 life forever start-time now !--- Schedule the monitoring process. In this case the lifetime !--- of the process is specified to be forever. The process is scheduled to begin !--- at the time this command is entered. As configured, this command allows the !--- monitoring configuration specified above to determine how often the testing !--- occurs. However, you can schedule this monitoring process to begin in the !--- future and to only occur at specified times. ! track 1 rtr 123 reachability !--- Associate a tracked static route with the SLA monitoring process. !--- The track ID corresponds to the track ID given to the static route to monitor: !--- route outside 0.0.0.0 0.0.0.0 10.0.0.2 1 track 1 !--- "rtr" = Response Time Reporter entry. 123 is the ID of the SLA process !--- defined above. telnet timeout 5 ssh timeout 5 console timeout 0 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global prompt hostname context Cryptochecksum:a4a0e9be4593ad43bc17a1cc25e32dc2 : end |
In order to configure redundant or backup ISP support with the ASDM application, complete these steps:
In the ASDM application, click Configuration, and then click Interfaces.
From the Interfaces list, select Ethernet0, and then click Edit.
This dialog box appears.
Check the Enable Interface check box, and enter values in the Interface Name, Security Level, IP Address, and Subnet Mask fields.
Click OK in order to close the dialog box.
Configure other interfaces as needed, and click Apply in order to update the security appliance configuration.
Click Routing located on the left side of the ASDM application.
Click Add in order to add the new static routes.
This dialog box appears.
From the Interface Name drop-down list, choose the interface on which the route resides, and configure the default route to reach the gateway. In this example, 10.0.0.1 is the primary ISP gateway, as well as the object to monitor with ICMP echos.
In the Options area, click the Tracked radio button, and enter values in the Track ID, SLA ID, and Track IP Address fields.
Click Monitoring Options.
This dialog box appears.
Enter values for frequency and other monitoring options, and click OK.
Add another static route for the secondary ISP in order to provide a route to reach the Internet.
In order to make it a secondary route, configure this route with a higher metric, such as 254. If the primary route (primary ISP) fails, that route is removed from the routing table. This secondary route (secondary ISP) is installed in the PIX routing table instead.
Click OK in order to close the dialog box.
The configurations appear in the Interface list.
Select the routing configuration, and click Apply in order to update the security appliance configuration.
Use this section to confirm that your configuration works properly.
Use these show commands to verify that your configuration is complete.
The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output.
show running-config sla monitor—Displays the SLA commands in the configuration.
pix# show running-config sla monitor sla monitor 123 type echo protocol ipIcmpEcho 10.0.0.1 interface outside num-packets 3 frequency 10 sla monitor schedule 123 life forever start-time now
show sla monitor configuration —Displays the current configuration settings of the operation.
pix# show sla monitor configuration 123 IP SLA Monitor, Infrastructure Engine-II. Entry number: 123 Owner: Tag: Type of operation to perform: echo Target address: 10.0.0.1 Interface: outside Number of packets: 3 Request size (ARR data portion): 28 Operation timeout (milliseconds): 5000 Type Of Service parameters: 0x0 Verify data: No Operation frequency (seconds): 10 Next Scheduled Start Time: Start Time already passed Group Scheduled : FALSE Life (seconds): Forever Entry Ageout (seconds): never Recurring (Starting Everyday): FALSE Status of entry (SNMP RowStatus): Active Enhanced History:
show sla monitor operational-state—Displays the operational statistics of the SLA operation.
Before the primary ISP fails, this is the operational state:
pix# show sla monitor operational-state 123 Entry number: 123 Modification time: 13:59:37.824 UTC Thu Oct 12 2006 Number of Octets Used by this Entry: 1480 Number of operations attempted: 367 Number of operations skipped: 0 Current seconds left in Life: Forever Operational state of entry: Active Last time this entry was reset: Never Connection loss occurred: FALSE Timeout occurred: FALSE Over thresholds occurred: FALSE Latest RTT (milliseconds): 1 Latest operation start time: 15:00:37.825 UTC Thu Oct 12 2006 Latest operation return code: OK RTT Values: RTTAvg: 1 RTTMin: 1 RTTMax: 1 NumOfRTT: 3 RTTSum: 3 RTTSum2: 3
After the primary ISP fails (and the ICMP echos time out), this is the operational state:
pix# show sla monitor operational-state Entry number: 123 Modification time: 13:59:37.825 UTC Thu Oct 12 2006 Number of Octets Used by this Entry: 1480 Number of operations attempted: 385 Number of operations skipped: 0 Current seconds left in Life: Forever Operational state of entry: Active Last time this entry was reset: Never Connection loss occurred: FALSE Timeout occurred: TRUE Over thresholds occurred: FALSE Latest RTT (milliseconds): NoConnection/Busy/Timeout Latest operation start time: 15:03:27.825 UTC Thu Oct 12 2006 Latest operation return code: Timeout RTT Values: RTTAvg: 0 RTTMin: 0 RTTMax: 0 NumOfRTT: 0 RTTSum: 0 RTTSum2: 0
Use the show route command to determine when the backup route is installed.
Before the primary ISP fails, this is the routing table:
pix# show route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is 10.200.159.1 to network 0.0.0.0 S 64.101.0.0 255.255.0.0 [1/0] via 172.22.1.1, inside C 172.22.1.0 255.255.255.0 is directly connected, inside C 10.250.250.0 255.255.255.248 is directly connected, backup C 10.200.159.0 255.255.255.248 is directly connected, outside S* 0.0.0.0 0.0.0.0 [1/0] via 10.200.159.1, outside
After the primary ISP fails, the static route is removed, and the backup route is installed, this is the routing table:
pix(config)# show route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is 10.250.250.1 to network 0.0.0.0 S 64.101.0.0 255.255.0.0 [1/0] via 172.22.1.1, inside C 172.22.1.0 255.255.255.0 is directly connected, inside C 10.250.250.0 255.255.255.248 is directly connected, backup C 10.200.159.0 255.255.255.248 is directly connected, outside S* 0.0.0.0 0.0.0.0 [254/0] via 10.250.250.1, backup
In order to confirm with the ASDM that the backup route is installed, complete these steps:
Click Monitoring, and then click Routing.
From the Routing tree, choose Routes.
Before the primary ISP fails, this is the routing table:
The DEFAULT route points to 10.0.0.2 through the outside interface.
After the primary ISP fails, the route is removed, and the backup route is installed. The DEFAULT route now points to 10.250.250.1 through the backup interface.
debug sla monitor trace—Displays progress of the echo operation.
The tracked object (primary ISP gateway) is up, and ICMP echos succeed.
IP SLA Monitor(123) Scheduler: Starting an operation IP SLA Monitor(123) echo operation: Sending an echo operation IP SLA Monitor(123) echo operation: RTT=3 OK IP SLA Monitor(123) echo operation: RTT=3 OK IP SLA Monitor(123) echo operation: RTT=4 OK IP SLA Monitor(123) Scheduler: Updating result
The tracked object (primary ISP gateway) is down, and ICMP echos fail.
IP SLA Monitor(123) Scheduler: Starting an operation IP SLA Monitor(123) echo operation: Sending an echo operation IP SLA Monitor(123) echo operation: Timeout IP SLA Monitor(123) echo operation: Timeout IP SLA Monitor(123) echo operation: Timeout IP SLA Monitor(123) Scheduler: Updating result
debug sla monitor error—Displays errors that the SLA monitor process encounters.
The tracked object (primary ISP gateway) is up, and ICMP succeeds.
%PIX-7-609001: Built local-host NP Identity Ifc:10.200.159.2 %PIX-7-609001: Built local-host outside:10.0.0.1 %PIX-6-302020: Built ICMP connection for faddr 10.0.0.1/0 gaddr 10.200.159.2/52696 laddr 10.200.159.2/52696 %PIX-6-302021: Teardown ICMP connection for faddr 10.0.0.1/0 gaddr 10.200.159.2/52696 laddr 10.200.159.2/52696 %PIX-7-609002: Teardown local-host NP Identity Ifc:10.200.159.2 duration 0:00:00 %PIX-7-609002: Teardown local-host outside:10.0.0.1 duration 0:00:00 %PIX-7-609001: Built local-host NP Identity Ifc:10.200.159.2 %PIX-7-609001: Built local-host outside:10.0.0.1 %PIX-6-302020: Built ICMP connection for faddr 10.0.0.1/0 gaddr 0.200.159.2/52697 laddr 10.200.159.2/52697 %PIX-6-302021: Teardown ICMP connection for faddr 10.0.0.1/0 gaddr 10.200.159.2/52697 laddr 10.200.159.2/52697 %PIX-7-609002: Teardown local-host NP Identity Ifc:10.200.159.2 duration 0:00:00 %PIX-7-609002: Teardown local-host outside:10.0.0.1 duration 0:00:00
The tracked object (primary ISP gateway) is down, and the tracked route is removed.
%PIX-7-609001: Built local-host NP Identity Ifc:10.200.159.2 %PIX-7-609001: Built local-host outside:10.0.0.1 %PIX-6-302020: Built ICMP connection for faddr 10.0.0.1/0 gaddr 10.200.159.2/6405 laddr 10.200.159.2/6405 %PIX-6-302020: Built ICMP connection for faddr 10.0.0.1/0 gaddr 10.200.159.2/6406 laddr 10.200.159.2/6406 %PIX-6-302020: Built ICMP connection for faddr 10.0.0.1/0 gaddr 10.200.159.2/6407 laddr 10.200.159.2/6407 %PIX-6-302021: Teardown ICMP connection for faddr 10.0.0.1/0 gaddr 10.200.159.2/6405 laddr 10.200.159.2/6405 %PIX-6-302021: Teardown ICMP connection for faddr 10.0.0.1/0 gaddr 10.200.159.2/6406 laddr 10.200.159.2/6406 %PIX-6-302021: Teardown ICMP connection for faddr 10.0.0.1/0 gaddr 10.200.159.2/6407 laddr 10.200.159.2/6407 %PIX-7-609002: Teardown local-host NP Identity Ifc:10.200.159.2 duration 0:00:02 %PIX-7-609002: Teardown local-host outside:10.0.0.1 duration 0:00:02 %PIX-6-622001: Removing tracked route 0.0.0.0 0.0.0.0 10.200.159.1, distance 1, table Default-IP-Routing-Table, on interface outside !--- 10.0.0.1 is unreachable, so the route to the Primary ISP is removed.
If the tracked route is removed unnecessarily, ensure that your monitoring target is always available to receive echo requests. In addition, ensure that the state of your monitoring target (that is, whether or not the target is reachable) is closely tied to the state of the primary ISP connection.
If you choose a monitoring target that is farther away than the ISP gateway, another link along that route may fail or another device may interfere. This configuration may cause the SLA monitor to conclude that the connection to the primary ISP has failed and cause the security appliance to unnecessarily fail over to the secondary ISP link.
For example, if you choose a branch office router as your monitoring target, the ISP connection to your branch office could fail, as well as any other link along the way. Once the ICMP echos that are sent by the monitoring operation fail, the primary tracked route is removed, even though the primary ISP link is still active.
In this example, the primary ISP gateway that is used as the monitoring target is managed by the ISP and is located on the other side of the ISP link. This configuration ensures that if the ICMP echos that are sent by the monitoring operation fail, the ISP link is almost surely down.
Problem:
SLA monitoring does not work after the ASA is upgrade to version 8.0.
Solution:
The problem is possibly be due to the IP Reverse-Path command configured in the OUTSIDE interface. Remove the command in ASA and try to check the SLA Monitoring.
Revision | Publish Date | Comments |
---|---|---|
1.0 |
26-Jun-2006 |
Initial Release |