nathanspowell
asked on
Cisco ASA Routing Question
We have a network with 9 locations that are in a mpls network with route distribution via eigrp.
Each site also has a second internet connection that is routed with an ASA 5510.
The default gateway of each site is a layer 3 switch with EIGRP and a static 0.0.0.0 route to the ASA. We've configured site to site vpn between the locations as a backup to MPLS failure. If a link fails the route drops from EIGRP and the gateway then routes that network to the ASA which brings the tunnel up.
So here's the issue, I have static routes on the inside interface of the ASA that route each subnet back to the interior gateway so the ASA's can be managed over the MPLS. When an MPLS link goes down the static routes for the affected network have to be removed from all ASA's before the tunnels will route correctly.
What I'm hoping is that there is some way I can get the ASA to give the static route a lower metric than the VPN route, or dynamically build the route based on remote availability.
Thanks in advance!
Each site also has a second internet connection that is routed with an ASA 5510.
The default gateway of each site is a layer 3 switch with EIGRP and a static 0.0.0.0 route to the ASA. We've configured site to site vpn between the locations as a backup to MPLS failure. If a link fails the route drops from EIGRP and the gateway then routes that network to the ASA which brings the tunnel up.
So here's the issue, I have static routes on the inside interface of the ASA that route each subnet back to the interior gateway so the ASA's can be managed over the MPLS. When an MPLS link goes down the static routes for the affected network have to be removed from all ASA's before the tunnels will route correctly.
What I'm hoping is that there is some way I can get the ASA to give the static route a lower metric than the VPN route, or dynamically build the route based on remote availability.
Thanks in advance!
I meant;
route outside 0.0.0.0 255.255.255.0 23.23.23.2 254
route outside 0.0.0.0 255.255.255.0 23.23.23.2 254
You can assign a metric to the static, as demonstratec above, just not on the default
route inside 10.0.0.0 255.0.0.0 10.1.12 254
You can enable EIGRP between the ASA and the router and let it dynamically learn the routes while the mpls is alive.
route inside 10.0.0.0 255.0.0.0 10.1.12 254
You can enable EIGRP between the ASA and the router and let it dynamically learn the routes while the mpls is alive.
ASKER
@602650528
Clarification, changing the metric of this route won't help. If I static route my machine to use the ASA as the gateway for a specific subnet it won't even bring the tunnel up as long as the static route is there. When I remove the route the tunnel will come up. Changing to 254 makes no difference.
@Irmoore
I think adding the ASA to EIGRP will be the solution. This way the route would drop off if an mpls link went down which would bring the tunnel up. Unfortunately I either have to induce a MPLS failure or wait for one to prove it. It sounds like the best solution though.
Thanks.
Clarification, changing the metric of this route won't help. If I static route my machine to use the ASA as the gateway for a specific subnet it won't even bring the tunnel up as long as the static route is there. When I remove the route the tunnel will come up. Changing to 254 makes no difference.
@Irmoore
I think adding the ASA to EIGRP will be the solution. This way the route would drop off if an mpls link went down which would bring the tunnel up. Unfortunately I either have to induce a MPLS failure or wait for one to prove it. It sounds like the best solution though.
Thanks.
ASKER
Ok thinking through this I don't think adding EIGRP to the ASA is going to work. Here is a pseudo copy of the route distribution.
10.10.10.1 = Layer 3 Switch Interior Gateway
10.10.10.2 = MPLS Router
10.10.10.254 = ASA
EIGRP routes 9 subnets via 10.10.10.2
10.10.10.2 routes 10.10.10.0/24 via 10.10.10.1
If the ASA picks up this route it's going to route out via 10.10.10.2 and 10.10.10.2 is going to route in via 10.10.10.1. I don't believe this will work. Please correct me if I'm wrong.
This leads me to another option. Can I use a tracked static route on the ASA. I've haven't used this feature before but my understanding is I can track a remote host to confirm the viability of the route. If the tracked host is unreachable is the route removed, made inactive? If so I could see the ASA bringing the tunnel up at that point which would accomplish what I want.
10.10.10.1 = Layer 3 Switch Interior Gateway
10.10.10.2 = MPLS Router
10.10.10.254 = ASA
EIGRP routes 9 subnets via 10.10.10.2
10.10.10.2 routes 10.10.10.0/24 via 10.10.10.1
If the ASA picks up this route it's going to route out via 10.10.10.2 and 10.10.10.2 is going to route in via 10.10.10.1. I don't believe this will work. Please correct me if I'm wrong.
This leads me to another option. Can I use a tracked static route on the ASA. I've haven't used this feature before but my understanding is I can track a remote host to confirm the viability of the route. If the tracked host is unreachable is the route removed, made inactive? If so I could see the ASA bringing the tunnel up at that point which would accomplish what I want.
Since all three devices are on the same interior subnet, EIGRP should work just fine. Since all 3 devices know where to route traffic, it shouldn't be a problem.
Tracking may be an alternative, but probably not as reliable as EIGRP.
Thinking about that, if if you are tracking a host on the other side of MPLS link and the mpls link drops, the route drops out. Now with no route to the host you're tracking, even if the MPLS link comes back up, the static route is gone and you'll never get back where it was.
Tracking may be an alternative, but probably not as reliable as EIGRP.
Thinking about that, if if you are tracking a host on the other side of MPLS link and the mpls link drops, the route drops out. Now with no route to the host you're tracking, even if the MPLS link comes back up, the static route is gone and you'll never get back where it was.
ASKER
So it just removes the route entirely? I would assume it would continue to track it and put it back when the link was restored.
I'm just thinking out loud, but if the route drops out, how can it possibly ever find the host again to restore it?
You would have to add a host-specific route that is not tracked, and then a tracked network route. This is the way I typically do it for default route tracking...
You would have to add a host-specific route that is not tracked, and then a tracked network route. This is the way I typically do it for default route tracking...
ASKER
That sounds like it would work assuming the ASA does continue to attempt to track the subnet route once it fails. Can you confirm that?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Can't thank you enough!
ASKER
One more question.
In your lab if you bring 192.168.125.1 back online does the tracked subnet come back to life as expected.
I interpret your comment that it does but I just wanted to confirm.
In your lab if you bring 192.168.125.1 back online does the tracked subnet come back to life as expected.
I interpret your comment that it does but I just wanted to confirm.
Yes, it does!
ASKER
Just wanted to update this. The static non tracked route for a host is not necessary.
Adding a subnet with a tracked host is enough. It will persist in tracking that host via the defined route even if the reachability is false. Once it becomes reachable again it will restore the route.
Adding a subnet with a tracked host is enough. It will persist in tracking that host via the defined route even if the reachability is false. Once it becomes reachable again it will restore the route.
e.g ip route 10.0.0.0 255.255.255.0 23.23.23.2 254