Cisco ASA – Redundant ISP (SLA monitor)

this video I'm going to be showing you how you can use the ASA's SLA monitor and ICMP reachability functions to take advantage of a redundant isp connected to your ASI so basically as an example when you have a backup into that domain and a backup internet service if what exists on the main one you can automatically failover to the London one by installing routes into your routing table that are tracked which are based on SLA monitor functions so my setup I'll show you quickly I've got two interfaces and is p1 nice b2 and one goes off to one is P this is a lab environment it's not a real environment just to mention one goes off to one return the other goes off wanted to show that I can reach those rooters 1 and 1/2 they're both my ISP simulation Reuters and and I've also got third routes acting as a host on the internet simulating house on internet rather anything I need to pass the ISP Reuters so what we're going to doing is we're going to create an SLA first so what are we going to throw away so they monitor and then specify on object ID of 10 and then we can specify the type then it's commands a bit silly really because it's the only commands you can specify in this configuration mode so what we're saying is we're saying the type is echo and the protocol is going to be IP ICMP echo and our target address will be in this instance a day that's what my simulation hopes to set up as in real life it's probably better to use the next hop along from the ISP route sir and then you specify the interface from which to send out these ICMP echoes which would be my ISP one and and then you can say you got all these commands difficulties you can just specify different aspects and attributes of the ICMP packet we could say frequency can send it every five seconds so this is measured in seconds and then it sends a heavy flies things okay so that's done so now we're gonna specify the SLA schedule skip 10 life will be forever so we want it to ping forever and we want the start time to be now so it's going to start right now see the line to that command next we're going to create the tracker which is what the route references to so the trap references the SLA monitor and the route references back to the tracker so the command is track 1 so that will be the tracker ID and then you after the RTR you specify the object the SLA object ID which we specified up here and the end opponent is reach ability okay so now we have a tracker we can install the routes the routing table so route through is p100 a short for just saying zero to zero let's do it 0 0 to 0 0 to 0 and and we're going to say it's going to go via 99-88 so similar one which the isp root of 1 and we can say that has a this is very important this iniciative distance when you're sending these up so this is one and we're going to track reference in one one here okay so track that so that is now in our routing table and next we're going to specify the backup route through is p2 which is the same obviously it goes through the is p2 router and the administrative distance is going to be higher than that of the route for the primary line okay so if I do a show route now I've got my is p1 route installed near so basically if we do a show track command we can see that the readability is up so it's getting to my target address of which was eight two eight eight eight which is why that route is now installed in that routing table in for example a date that was supposed to go down through is p1 interface then this would be uninstalled from the routing table and the backup route would be installed so let me now create our nap rules for the this is this is important more a lot of people well when they're sending up this so they monitor their that no correct Naturals to use and I don't know this hundred sync rate but this is what works for me so inside interface to this is by the way this is not Auto now object now this is on the just going into our first section of NAT you I'm gonna make a video on that soon about net and so we're going to go through our is p1 interface and source dynamic we want to say our inside hosts are growing going to packed on to the interface and then you want to set up same command for ISP to sauce and it's just basically the same so as you if you don't know already that happens after routing takes place so if you're wondering why this would wouldn't inflict or whatever it's because the routing takes place first so when we read this net statement out so NAT when the conditions of inside interface and the destination is going to be ISP one interface of the egress interface will be ISP one interface which will happen if the routing table has our default route pointing out of our sp1 interface which it does at the moment and translate the source address of the packet to our interface are outside interface dress of is p1 and same again applies for the other statement if the if the conditions if the each ingress interfaces inside and the egress interface is is p2 and the is p2 routes is Dalton table then all be fine so now we're going to test our functionality so now I should be able to ping our host a baby Bay yeah and if we do a trace route to eight but able eight eight rather you'll see it's going via RRSP route 1 and then via that that's the the address that's linked to our ISP which ones outside interface so it's the under and basically it got a rude to simulating the host address to a guy and that is one of the interfaces on that Rita so now for example if I take a cable out of the the ISP one routes up we should see ah tracker go down reach move cease at the center our roots if it's failed over yet so yes now we see that our root has vowed to 88 that since seven six six that one and it's going through is B to Levi ping 8.88 I still get to it and this time we do a trace route it's going via 888 dots in 7.62 that one and V 11.20 to 33.1 if we scroll back up I'll show you the result last time it was going via 22333 4.1 which is obviously a different interface on that route I told you about hope you found this video informative please if you have any feedback leave in the comments below and remember to subscribe thank you

22 thoughts on “Cisco ASA – Redundant ISP (SLA monitor)

  1. I don't think so the tracking objects are worked here. It's administrative distances who fall back to secondary path…any way you can show us that tracking is working …please make video on that

  2. Thanks man, I was going to configure the redundancy this would definitely help, keep the good work.

  3. Hi Laurence, Can Static NAT work on this?  and I have many route config for  IPSEC VPN (static route) what will be Gateway IP for those static route.

  4. Sometimes you can momentarily lose ICMP connectivity to the device you're tracking on the internet when the route is not really down. In other words ICMP will again be replied to when congestion is relieved. Is there a way to adjust the ICMP timeout or set the number of 1 second ICMP failures to trigger the route change? I don't want to change routes unless the connection to ISP1 is hard down.

  5. nice viideo. it is teaking the backup route> but when the primary one is coming up it is still taking the backup route

    how to solve this  problem?

  6. Hi Lau. ISP 1 and ISP 2 are both configured, ISP 1 has a speedtest of 20 Mbps direct on the switchport of the router, when to connected to the ASA 5512-X, port on ASA5512-X (Internal) has the same speed test of the router's switchport , but when this ASA port is connected to another Switch( Core switch ) internal, the speed decreases . Note: no other connected devices is using the core switch  is there something to configure or adjust on either port ( ASA or Catalyst Core )?any sugguestion or advise is highly appreciated, 

  7. great video, but when switch from ISP1 to ISP2 it take so long time maybe 30 to 35 second. Is it possible to use command line to minimize timeout when it switches from ISP1 to ISP2?

  8. Fabulous vid Laurence. But tell me, my setup (ASA 5505) wont work unless I first put in a static route for the target IP (via ISP1). Should this be necessary?

  9. exchange 5,200,2008,2010 lot more to write flaxsys-Skype no sallarry inccrease jusst learn lifetime hate it yes i know swich,router firewall also

  10. can i get job after this i have 11 year exp in desktop server ,froom 33 year jobless i know win95,98,xp,2000,7,8,servernt,2000,,2003,2008 Linux all favors ,did Cisco,mcse course knnoow 386,486,p1-2-3-4,,mb-all version

  11. Thanks for a nice video. It looks like what I need to do. Do you have the config listed somewhere that I can view. Then I can try to repeat it in our setup. Thanks.


  12. I do have one question regarding setup though. I have 2 ISP's one DSL and one cable, both static but when creating the 3rd interface for the new cable connection what exactly needs to be done? I was reading and saw a few things that kind of threw me off. Do I create a new third interface called "cable" and assign it vlan 3, vlan1 and 2 being inside and DSL does anything need to be done for PAT/NAT? if you would like to reply to me via email I would GREATLY appreciate the help!!! [email protected]

  13. Hi Matt, Sorry for the delayed response, I was using a 5512-X but the feature will work on a 5510/5505 with sec plus license.

  14. Hi Laurence, great video! Can you tell me what model of ASA you're using in this video. I have a client using a 5505 and from everything I read and when speaking to Cisco they say this is not possible but with the security plus license it "looks" as though it is possible and I am looking for a little guidance before going and spending the money on the sec plus if it's not going to work. Thanks!


Leave a Reply

Your email address will not be published. Required fields are marked *