ASA/PIX, IDS, IPS, VPN, Cisco Secure ACS, AAA, ISE.
User avatar
BBW
Member
Posts:
196
Joined:
Sun Mar 14, 2010 11:59 am
Certs:
CCNP (exp -too busy working 2 update it)

Tying a Route to Multiple Tracked Addresses. Possible?

Thu Dec 22, 2016 9:28 am

I’m wondering if anyone knows of a way to do this: I have a customer’s ASA firewall that has two ISP connections; a primary and a backup. I have the default gateway tied to an SLA track that monitors the 8.8.8.8 address, keeping the gateway pointed to the primary ISP if that address responds and failing to the backup if it fails. (Pretty standard tracked object route failover.)

The problem I had yesterday is that something happened on the local ISP’s backbone that black holed that specific 8.8.8.8 address. I got around it temporarily by shifting to the 8.8.4.4 address, which was responding.

So failover worked as it should have, but the result was that for a few hours they were running on their slower backup link, despite the fact that the primary was actually working. Not great for a retailer on December 21st.

Does anyone know of a way to do this where the firewall would track say 2 or 3 different addresses and only lose the route if all of them failed? Something like a track pool where you put all tracked objects in the pool and they all have to fail before the pool fails?

Thanks,

Ben

'
Return to Cisco Security

Who is online

Users browsing this forum: SueRow and 58 guests