Cisco ASA SLA Monitoring

Here's the scenario:

We have dual ISP links, primary Comcast and backup DSL, for a location with failover on an ASA 5520 using sla monitoring. Right now we are tracking the upstream modem/router (1 hop away)  of ISP1 as our monitored IP address. It is the Comcast connection.

We have tested failover and the DSL connection picks up almost immediately and VPN tunnels establish beautifully.

Here's the issue:

We tested pulling the coax from the Comcast modem, rendering it useless, but the modem was still reachable and the Cisco did not fail over. So right now, we are only protected against a failure of the Comcast modem.

My question is:

If we choose to monitor some other IP address, say 8.8.8.8 (Google DNS) for example, does the ASA continue to attempt to reach the monitored IP address from the primary (Comcast) WAN interface to determine when to reactivate that primary interface?

-or-

After it fails over, does it 'trust' the backup interface to determine when the monitored IP address is back up, reactivating the primary interface. This could create a failover loop:
  1) Comcast cannot reach 8.8.8.8 and fails over
  2) DSL activates and all is good, except from the DSL interface, 8.8.8.8 is reachable
  3) DSL interface turns it back over to Comcast
  4) Repeat ad nauseam.....

We would love to monitor a 'known good' IP address so that failover protects us from more than just a Comcast modem failure - but I need to understand the mechanics of monitoring a little better.

Thanks Experts for your help!
RTPITAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Don JohnstonInstructorCommented:
When you define the object being tracked, you also define the outbound interface. If you don't get a response from the object using that interface, then the failover takes place.

So if you decide to use 8.8.8.8 as the object, then it MUST be reachable by going out the Comcast interface. If it can't, then you will failover to the DSL link.  The object will not be checked going out the DSL interface.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
RTPITAuthor Commented:
Thanks for the help. As long as AFTER the failover occurs, the primary WAN interface is the one that continues to attempt to reach (whatever IP is) the tracked object, then using a 4.2.2.2 or 8.8.8.8 makes sense and should serve us well.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.