• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1113
  • Last Modified:

Catalyst 3750 and Cisco ASA 5510 Failover Routing / ICMP Redirects Query

HI THere,

PLease take a look at the attached JPG. Schematic Overview
What I need to be able to set up is a scenario where if the LES goes down, routing between the subnets is automatically achieved by the VPN tunnel configured between the ASA devices (I haven't actually configured it yet, but I'm comfortable with this part).

Additionally, if the Internet connection goes down at either site, I need Internet traffic to be re-routed to the alternative ASA via the LES circuit.

I can provide configs if necessary, but they are fairly standard. The query is not how to execute this as I'm quite comfortable with configruing ASA's and Catalysts (I think) but more around the design aspect.

1. Can this be done with the equipment shown here.
2. Can someone point me towards some relevant examples (I can't find any).

My initial thoughts were:

- Set the default gateway to be the switches at each site (.250 HSRP address)
- Set up an RTR / TRACK to send pings to a known device on each of the alternate networks
- If the RTR fails, then re-route to the ASA using a secondary route statement

For the Internet failover.

- Have a separate RTR pinging google or bbc or something on each of the switches.
- When that RTR fails, send traffic over the LES switch port instead of redirecting it to the ASAs

My only thoughts about this are that, of course, with HSRP setup, both subnets are directly connected to each of the Switches, so how do I go about enforcing a route statement and an ICMP redirect through to the ASA at each site - is there a value I can assign this, or some command I can execute that will ignore the directly connected VLANs and route externally?

We set up the LES with HSRP and Inter-VLan routing on both switches as, if I am honest,  I couldn't get the Catalysts to route using switchports in the standard manner (i.e. like a router). So for instance, sending any traffic for over switchport 1 on and vice-versa on the alternate switch didn't work for some reason. I spent ages trying to figure this, and eventually realised that HSRP with both VLANs present at each site was actually a better way to set it up anyway, however now I'm presented with this additional challenge.

Any pointers on the design greatly appreciated.

I should add that the ASAs are running 8.3(1) and I read that these now support ICMP redirects, however actually trying to get them to issue ICMP redirects seems to be a bit of a black art! I wonder if what the documentation means is that the ASAs themselves will accept ICMP redirects and route accordingly.? Any clues as to this greatly appreciated.

  • 3
  • 2
1 Solution
Sorry, but the design won't work. The switches will have no reason to route the traffic to the opposing side, because the ip subnet is already directly connected.
I think you need to go back to having only the actual subnet present on each side, and not run HSRP. It should work without a problem, so we need to dig into why it didn't work the first time around.
When you get that part working, you can move on to getting a routing protocol up and running. The ASA supports only RIP and OSPF.
I just reread your question, and think I know where it went wrong. Did you have an extra ip subnet for routing purposes between the two sites on the LES side of things? You need a third subnet/vlan in order for the switches to do the routing. For example 192.168.100.x
I found an example that describes the configuration you need. The only difference is that your switches (interchangeable with routers from the example in your case) have an extra direct link between them.

prodriveitAuthor Commented:
Thanks for your help - that's really useful!

I didn't have the third subnet, so I will go back and re-configure with that in place and disable HSRP e.t.c.

From there, I will have a go at sorting the RIP / OSPF my self, but if I get stuck, may post another question on this and will send you a message (if that's possible) through EE if I may?

Thanks again. I'll close the question unless you think I should leave it open for any reason?

prodriveitAuthor Commented:
Thanks for the prompt response.
You're welcome. I think there is a link on my profile page to contact me directly, but I haven't used that feature before.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now