Cisco ASA SLA Monitoring
Posted on 2012-04-13
Here's the scenario:
We have dual ISP links, primary Comcast and backup DSL, for a location with failover on an ASA 5520 using sla monitoring. Right now we are tracking the upstream modem/router (1 hop away) of ISP1 as our monitored IP address. It is the Comcast connection.
We have tested failover and the DSL connection picks up almost immediately and VPN tunnels establish beautifully.
Here's the issue:
We tested pulling the coax from the Comcast modem, rendering it useless, but the modem was still reachable and the Cisco did not fail over. So right now, we are only protected against a failure of the Comcast modem.
My question is:
If we choose to monitor some other IP address, say 220.127.116.11 (Google DNS) for example, does the ASA continue to attempt to reach the monitored IP address from the primary (Comcast) WAN interface to determine when to reactivate that primary interface?
After it fails over, does it 'trust' the backup interface to determine when the monitored IP address is back up, reactivating the primary interface. This could create a failover loop:
1) Comcast cannot reach 18.104.22.168 and fails over
2) DSL activates and all is good, except from the DSL interface, 22.214.171.124 is reachable
3) DSL interface turns it back over to Comcast
4) Repeat ad nauseam.....
We would love to monitor a 'known good' IP address so that failover protects us from more than just a Comcast modem failure - but I need to understand the mechanics of monitoring a little better.
Thanks Experts for your help!