Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cisco ASA SLA Monitoring

Posted on 2012-04-13
2
Medium Priority
?
1,195 Views
Last Modified: 2012-04-13
Here's the scenario:

We have dual ISP links, primary Comcast and backup DSL, for a location with failover on an ASA 5520 using sla monitoring. Right now we are tracking the upstream modem/router (1 hop away)  of ISP1 as our monitored IP address. It is the Comcast connection.

We have tested failover and the DSL connection picks up almost immediately and VPN tunnels establish beautifully.

Here's the issue:

We tested pulling the coax from the Comcast modem, rendering it useless, but the modem was still reachable and the Cisco did not fail over. So right now, we are only protected against a failure of the Comcast modem.

My question is:

If we choose to monitor some other IP address, say 8.8.8.8 (Google DNS) for example, does the ASA continue to attempt to reach the monitored IP address from the primary (Comcast) WAN interface to determine when to reactivate that primary interface?

-or-

After it fails over, does it 'trust' the backup interface to determine when the monitored IP address is back up, reactivating the primary interface. This could create a failover loop:
  1) Comcast cannot reach 8.8.8.8 and fails over
  2) DSL activates and all is good, except from the DSL interface, 8.8.8.8 is reachable
  3) DSL interface turns it back over to Comcast
  4) Repeat ad nauseam.....

We would love to monitor a 'known good' IP address so that failover protects us from more than just a Comcast modem failure - but I need to understand the mechanics of monitoring a little better.

Thanks Experts for your help!
0
Comment
Question by:RTPIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 50

Accepted Solution

by:
Don Johnston earned 2000 total points
ID: 37843888
When you define the object being tracked, you also define the outbound interface. If you don't get a response from the object using that interface, then the failover takes place.

So if you decide to use 8.8.8.8 as the object, then it MUST be reachable by going out the Comcast interface. If it can't, then you will failover to the DSL link.  The object will not be checked going out the DSL interface.
0
 

Author Comment

by:RTPIT
ID: 37844546
Thanks for the help. As long as AFTER the failover occurs, the primary WAN interface is the one that continues to attempt to reach (whatever IP is) the tracked object, then using a 4.2.2.2 or 8.8.8.8 makes sense and should serve us well.
0

Featured Post

Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question