Static Route Tracking with ASA 8.x

October 23, 2008
Posted by bcarroll

Static Route Tracking with ASA 8.x

For a few days now I have been playing with static route tracking in my SNAF class. The class is running ASA 8.0 (2). After reading every document I can find and testing in my lab I have concluded that version 8.0 (2) does not work. Now I can’t find a bug report on it, but i tested it over and over again.

Finally I decided to upgrade to code 8.0 (3). Success! Below is what I did to test and the results:

To begin, here is the topology:

Uploaded with plasq‘s Skitch!

First I set up the interfaces:

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.6.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.0.6.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif backup
security-level 0
ip address 192.168.5.25 255.255.255.0
!

Then the NAT:

ciscoasa(config)# sh run nat
nat (inside) 1 0.0.0.0 0.0.0.0
ciscoasa(config)# sh run global
global (outside) 1 interface
global (backup) 1 interface
ciscoasa(config)#

Next I set up the static route tracking:

sla monitor 1
type echo protocol ipIcmpEcho 192.168.6.1 interface outside
timeout 1000
frequency 3
sla monitor schedule 1 life forever start-time now

Next I defined the static route to track and the static route to act as a backup:

route outside 0.0.0.0 0.0.0.0 192.168.6.1 1 track 1
route backup 0.0.0.0 0.0.0.0 192.168.5.1 5

Thats about it. Next I verified it was configured:

ciscoasa(config)# sh sla monitor configuration
SA Agent, Infrastructure Engine-II
Entry number: 1
Owner:
Tag:
Type of operation to perform: echo
Target address: 192.168.6.1
Interface: outside
Number of packets: 1
Request size (ARR data portion): 28
Operation timeout (milliseconds): 1000
Type Of Service parameters: 0x0
Verify data: No
Operation frequency (seconds): 3
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Enhanced History:

Then I verified that the SLA was reporting a status OK:

ciscoasa(config)# sh sla monitor operational-state
Entry number: 1
Modification time: 04:02:36.312 UTC Fri Oct 24 2008
Number of Octets Used by this Entry: 1480
Number of operations attempted: 352
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: FALSE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): 1
Latest operation start time: 04:20:09.312 UTC Fri Oct 24 2008
Latest operation return code: OK
RTT Values:
RTTAvg: 1    RTTMin: 1    RTTMax: 1
NumOfRTT: 1    RTTSum: 1    RTTSum2: 1

Then I checked the routing table to make sure that it was reflecting the right default route:

ciscoasa(config)# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is 192.168.6.1 to network 0.0.0.0

C    127.0.0.0 255.255.0.0 is directly connected, cplane
C    192.168.5.0 255.255.255.0 is directly connected, backup
C    10.0.6.0 255.255.255.0 is directly connected, inside
C    192.168.6.0 255.255.255.0 is directly connected, outside
S*   0.0.0.0 0.0.0.0 [1/0] via 192.168.6.1, outside
ciscoasa(config)#

And finally I failed the gateway. Then I checked the operational-state again:

ciscoasa(config)# sh sla monitor operational-state
Entry number: 1
Modification time: 04:02:36.321 UTC Fri Oct 24 2008
Number of Octets Used by this Entry: 1480
Number of operations attempted: 375
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: TRUE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): NoConnection/Busy/Timeout
Latest operation start time: 04:21:18.311 UTC Fri Oct 24 2008
Latest operation return code: Timeout
RTT Values:
RTTAvg: 0    RTTMin: 0    RTTMax: 0
NumOfRTT: 0    RTTSum: 0    RTTSum2: 0

Since its reporting a timeout the route should change:

ciscoasa(config)# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is 192.168.5.1 to network 0.0.0.0

C    127.0.0.0 255.255.0.0 is directly connected, cplane
C    192.168.5.0 255.255.255.0 is directly connected, backup
C    10.0.6.0 255.255.255.0 is directly connected, inside
C    192.168.6.0 255.255.255.0 is directly connected, outside
S*   0.0.0.0 0.0.0.0 [5/0] via 192.168.5.1, backup
ciscoasa(config)#

And finally I bring it back by enabling the 6.1 gateway and check it again. Ta-da! Its back.

ciscoasa(config)# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is 192.168.6.1 to network 0.0.0.0

C    127.0.0.0 255.255.0.0 is directly connected, cplane
C    192.168.5.0 255.255.255.0 is directly connected, backup
C    10.0.6.0 255.255.255.0 is directly connected, inside
C    192.168.6.0 255.255.255.0 is directly connected, outside
S*   0.0.0.0 0.0.0.0 [1/0] via 192.168.6.1, outside
ciscoasa(config)#

After moving to the new code version I must say that the static route tracking worked like a champ.

[poll id="6"]

4 Comments

Posted Under CCIE Security SNAF SNPA

Steve
February 7, 2009

Hey Brandon, nice write up. Is there way to have the NAT’s changed when your not NAT’ing to the interface IP?

Brandon
February 9, 2009

@Steve Assuming you use a NAT pool (global) with each outside interface I dont see why not.
HTH.
Brandon

hhdien
April 23, 2009

thanks,
Is it possible to load sharing between the two connections?

Brandon
April 23, 2009

@hhdien I dont know of any way to load balance other than having a router on either side of the ASA and using multi-mode. Then you can have the routers load-balance.

Regards,

Brandon

Studying for Cisco Certifications or Just Making Stuff Work!

Static Route Tracking with ASA 8.x

4 Comments

Leave a comment

Categories

Archives