IP SLA on ASA 55xx and Boolean expressions
Problem Details:
I would like to track multiple objects on an ASA 55xx appliance and ensure the backup
route will be triggered only if all the obejct will be unreacheable. I did research for
possibile solutions and found out some IOS for routers and switches do that but I could
not find the feature on the current ASA software 7.2.x or 8.x.
Is there any possibility to do this or have an alternative setup that allows to track
multiple object out of the same ASA interface?
track 100 list boolean or
object 1
object 2
object 3
My concern is that tracking a single object would introduce a single point of failure in
case that object would be unreacheable for reasons other than internet related issues.
Please advise
thanks in advance
I would like to track multiple objects on an ASA 55xx appliance and ensure the backup
route will be triggered only if all the obejct will be unreacheable. I did research for
possibile solutions and found out some IOS for routers and switches do that but I could
not find the feature on the current ASA software 7.2.x or 8.x.
Is there any possibility to do this or have an alternative setup that allows to track
multiple object out of the same ASA interface?
track 100 list boolean or
object 1
object 2
object 3
My concern is that tracking a single object would introduce a single point of failure in
case that object would be unreacheable for reasons other than internet related issues.
Please advise
thanks in advance
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I'm pretty sure that would work. I have not done it myself, however.
ASKER
this doesn't work man!, tried on the week-end on ASA version 7.2.4 w/o luck. I have opened a Cisco TAC case as well and they confirm there's no solution as of yet on ASAs software and advise to contact my Cisco account Manager for a Product Enhancement Request (PER).
Your question was answered; it just wasn't the answer you wanted.
ASKER
actually you're right at 50% for the 1st answer you gave but please note your workaround doesn't work on ASA/PIXes, however I will still award the points
I just came across this trying to do the same thing with an ASA.
I was able to get it working by setting up multiple tracked objects. I could not create two default route entries pointing to the same gateway IP so I did a trace route and noticed the next hop was always the same.
So if this is the case for you what you can do is create a second tracked object and tie a second default route with a higher admin distance to that tracked object.
You'll want to add a static route in your firewall for this next hop pointing to the your primary isp default gateway.
So something like this:
route outside 0.0.0.0 0.0.0.0 'ISP #1 gateway ip' 1 track 1
route outside 0.0.0.0 0.0.0.0 'next hop from ISP #1 gateway' 2 track 2
route outside 'next hop from ISP #1 gateway' 255.255.255.255 'ISP #1 gateway ip' 1
route outside 'tracked object 1 IP address' 255.255.255.255 'ISP #1 gateway ip' 1
route outside 'tracked object 2 IP address' 255.255.255.255 'ISP #1 gateway ip' 1
route backup 0.0.0.0 0.0.0.0 'ISP #2 gateway ip' 10
So if the first object is unreachable the default route points to the next-hop from the primary ISP gateway. With that hop likely residing on a different subnet you need the static route to point to that next hop. Only when the second tracked object is unreachable does it then move to the backup interface default route.
This config provides a little security of not moving to the backup connection if there is a problem with one particular host and not the Internet connection itself. That I believe was the posters original intent.
I was able to get it working by setting up multiple tracked objects. I could not create two default route entries pointing to the same gateway IP so I did a trace route and noticed the next hop was always the same.
So if this is the case for you what you can do is create a second tracked object and tie a second default route with a higher admin distance to that tracked object.
You'll want to add a static route in your firewall for this next hop pointing to the your primary isp default gateway.
So something like this:
route outside 0.0.0.0 0.0.0.0 'ISP #1 gateway ip' 1 track 1
route outside 0.0.0.0 0.0.0.0 'next hop from ISP #1 gateway' 2 track 2
route outside 'next hop from ISP #1 gateway' 255.255.255.255 'ISP #1 gateway ip' 1
route outside 'tracked object 1 IP address' 255.255.255.255 'ISP #1 gateway ip' 1
route outside 'tracked object 2 IP address' 255.255.255.255 'ISP #1 gateway ip' 1
route backup 0.0.0.0 0.0.0.0 'ISP #2 gateway ip' 10
So if the first object is unreachable the default route points to the next-hop from the primary ISP gateway. With that hop likely residing on a different subnet you need the static route to point to that next hop. Only when the second tracked object is unreachable does it then move to the backup interface default route.
This config provides a little security of not moving to the backup connection if there is a problem with one particular host and not the Internet connection itself. That I believe was the posters original intent.
ASKER