Catalyst 3750 and Cisco ASA 5510 Failover Routing / ICMP Redirects Query

Posted on 2011-04-19
Last Modified: 2012-06-27
HI THere,

PLease take a look at the attached JPG. Schematic Overview
What I need to be able to set up is a scenario where if the LES goes down, routing between the subnets is automatically achieved by the VPN tunnel configured between the ASA devices (I haven't actually configured it yet, but I'm comfortable with this part).

Additionally, if the Internet connection goes down at either site, I need Internet traffic to be re-routed to the alternative ASA via the LES circuit.

I can provide configs if necessary, but they are fairly standard. The query is not how to execute this as I'm quite comfortable with configruing ASA's and Catalysts (I think) but more around the design aspect.

1. Can this be done with the equipment shown here.
2. Can someone point me towards some relevant examples (I can't find any).

My initial thoughts were:

- Set the default gateway to be the switches at each site (.250 HSRP address)
- Set up an RTR / TRACK to send pings to a known device on each of the alternate networks
- If the RTR fails, then re-route to the ASA using a secondary route statement

For the Internet failover.

- Have a separate RTR pinging google or bbc or something on each of the switches.
- When that RTR fails, send traffic over the LES switch port instead of redirecting it to the ASAs

My only thoughts about this are that, of course, with HSRP setup, both subnets are directly connected to each of the Switches, so how do I go about enforcing a route statement and an ICMP redirect through to the ASA at each site - is there a value I can assign this, or some command I can execute that will ignore the directly connected VLANs and route externally?

We set up the LES with HSRP and Inter-VLan routing on both switches as, if I am honest,  I couldn't get the Catalysts to route using switchports in the standard manner (i.e. like a router). So for instance, sending any traffic for over switchport 1 on and vice-versa on the alternate switch didn't work for some reason. I spent ages trying to figure this, and eventually realised that HSRP with both VLANs present at each site was actually a better way to set it up anyway, however now I'm presented with this additional challenge.

Any pointers on the design greatly appreciated.

I should add that the ASAs are running 8.3(1) and I read that these now support ICMP redirects, however actually trying to get them to issue ICMP redirects seems to be a bit of a black art! I wonder if what the documentation means is that the ASAs themselves will accept ICMP redirects and route accordingly.? Any clues as to this greatly appreciated.

Question by:prodriveit
    LVL 7

    Expert Comment

    Sorry, but the design won't work. The switches will have no reason to route the traffic to the opposing side, because the ip subnet is already directly connected.
    I think you need to go back to having only the actual subnet present on each side, and not run HSRP. It should work without a problem, so we need to dig into why it didn't work the first time around.
    When you get that part working, you can move on to getting a routing protocol up and running. The ASA supports only RIP and OSPF.
    LVL 7

    Accepted Solution

    I just reread your question, and think I know where it went wrong. Did you have an extra ip subnet for routing purposes between the two sites on the LES side of things? You need a third subnet/vlan in order for the switches to do the routing. For example 192.168.100.x
    I found an example that describes the configuration you need. The only difference is that your switches (interchangeable with routers from the example in your case) have an extra direct link between them.
    LVL 2

    Author Comment

    Thanks for your help - that's really useful!

    I didn't have the third subnet, so I will go back and re-configure with that in place and disable HSRP e.t.c.

    From there, I will have a go at sorting the RIP / OSPF my self, but if I get stuck, may post another question on this and will send you a message (if that's possible) through EE if I may?

    Thanks again. I'll close the question unless you think I should leave it open for any reason?

    LVL 2

    Author Closing Comment

    Thanks for the prompt response.
    LVL 7

    Expert Comment

    You're welcome. I think there is a link on my profile page to contact me directly, but I haven't used that feature before.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
    In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now