ASA5510- Active/Standby routing problem

[colinrmgt]

Hi all,

I have a quick question with regard to one of our DMZ's, which is a 2 tier model, in active/standby mode, with dual ISP's: see attached image.

We're using an SLA monitor to track a default route to ISP1, in the event of a failure a route is added for ISP2.

On the outside primary/active ASA we have a route of:
S* 0.0.0.0 0.0.0.0 [1/0] via x.x.y.1, ISP1

However, on the outside secondary/standby Asa we have a route of:
S* 0.0.0.0 0.0.0.0 [1/0] via x.x.y.1, State-LNK

I don't understand why it's trying to route to ISP1 over the Stateful failover interface rather than using it's trunked outside interface. When the secondary becomes active the whole DMZ grinds to a halt as the route remains over State-LNK!

We have a copy of this setup at another site, which works fine. I've taken all the configs and used a comparison tool, and can't see any significant differences.

My initial thoughts we're a trunking/vlan problem, but all vlans are correct and all required interfaces are trunking.

Any ideas why it's doing this? Anyone seen this before?

Thanks in advance - I truely am lost!

Colin

 

[unclerico]

CAn you post configs??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[colinrmgt]

Hi,

Thanks for posting. Is there anything in particular you'd like to see from the configs? I'd need to trim a lot of stuff out to be able to post them.

Thanks,
Colin

 

[unclerico]

Any interface configuration, SLA monitor, and routes

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[unclerico]

oh and failover config

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[colinrmgt]

For some reason the route on the standby ASA flaps between ISP1 and State-LNK. I've just made some changes and after writing to the standby unit it appears to be ok.. I still can't ping anything outside on the interface though.

# sh run int
!
interface Ethernet0/0
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/0.10
 vlan 10
 nameif ISP1
 security-level 0
 ip address x.x.y.2 255.255.255.128 standby x.x.y.3
!
interface Ethernet0/0.20
 vlan 20
 nameif ISP2
 security-level 0
 ip address x.x.x.2 255.255.255.128 standby x.x.x.3
!
interface Ethernet0/1
 nameif dmz
 security-level 50
 ip address 10.1.1.1 255.255.255.0 standby 10.1.1.131
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 speed 100
 duplex full
!
interface Ethernet0/3.90
 description LAN Failover Interface
 vlan 90
!
interface Ethernet0/3.95
 description STATE Failover Interface
 vlan 95
!
interface Management0/0
 nameif ManNet1
 security-level 100
 no ip address
 management-only

# sh run sla monitor
sla monitor 1
 type echo protocol ipIcmpEcho z.z.z.46 interface ISP1
 num-packets 3
 frequency 10
sla monitor schedule 1 life forever start-time now

# sh run track
track 1 rtr 1 reachability

# sh run | include route
route ISP1 0.0.0.0 0.0.0.0 x.x.y.1 1 track 1
route ISP2 0.0.0.0 0.0.0.0 x.x.x.1 105
route dmz 192.168.0.0 255.255.0.0 10.1.1.7 1

# sh run failover
failover
failover lan unit primary
failover lan interface Fail-LNK Ethernet0/3.90
failover replication http
failover link State-LNK Ethernet0/3.95
failover interface ip Fail-LNK 10.1.30.17 255.255.255.252 standby 10.1.30.18
failover interface ip State-LNK 10.1.30.21 255.255.255.252 standby 10.1.30.22



Primary/Active# sh sla monitor operational-state
Entry number: 1
Modification time: 06:08:43.069 bst Wed May 13 2009
Number of Octets Used by this Entry: 1480
Number of operations attempted: 46077
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: FALSE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): 13
Latest operation start time: 14:08:03.073 bst Mon May 18 2009
Latest operation return code: OK
RTT Values:
RTTAvg: 13      RTTMin: 10      RTTMax: 20
NumOfRTT: 3     RTTSum: 40      RTTSum2: 600


Primary/Active# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: Fail-LNK Ethernet0/3.90 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
failover replication http
Version: Ours 7.2(2), Mate 7.2(2)
Last Failover at: 05:47:50 bst May 13 2009
        This host: Primary - Active
                Active time: 461344 (sec)
                slot 0: ASA5510 hw/sw rev (2.0/7.2(2)) status (Up Sys)
                  Interface ISP1 (x.x.y.2): Normal (Not-Monitored)
                  Interface ISP2 (x.x.x.2): Normal (Not-Monitored)
                  Interface dmz (10.1.1.1): Normal
                  Interface ManNet1 (0.0.0.0): No Link (Waiting)
                slot 1: empty
        Other host: Secondary - Standby Ready
                Active time: 0 (sec)
                slot 0: ASA5510 hw/sw rev (2.0/7.2(2)) status (Up Sys)
                  Interface ISP1 (x.x.y.3): Normal (Not-Monitored)
                  Interface ISP2 (x.x.x.3): Normal (Not-Monitored)
                  Interface dmz (10.1.1.131): Normal
                  Interface ManNet1 (0.0.0.0): Unknown (Waiting)
                slot 1: empty

Stateful Failover Logical Update Statistics
        Link : State-LNK Ethernet0/3.95 (up)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         3763280    0          61506      0
        sys cmd         61506      0          61506      0
        up time         0          0          0          0
        RPC services    0          0          0          0
        TCP conn        2026941    0          0          0
        UDP conn        725365     0          0          0
        ARP tbl         940506     0          0          0
        Xlate_Timeout   0          0          0          0
        VPN IKE upd     5867       0          0          0
        VPN IPSEC upd   3095       0          0          0
        VPN CTCP upd    0          0          0          0
        VPN SDI upd     0          0          0          0
        VPN DHCP upd    0          0          0          0

        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       7       522847
        Xmit Q:         0       15      6931060


Secondary/Standby# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: Fail-LNK Ethernet0/3.90 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
failover replication http
Version: Ours 7.2(2), Mate 7.2(2)
Last Failover at: 05:47:53 bst May 13 2009
        This host: Secondary - Standby Ready
                Active time: 0 (sec)
                slot 0: ASA5510 hw/sw rev (2.0/7.2(2)) status (Up Sys)
                  Interface ISP1 (x.x.y.3): Normal (Not-Monitored)
                  Interface ISP2 (x.x.x.3): Normal (Not-Monitored)
                  Interface dmz (10.1.1.131): Normal
                  Interface ManNet1 (0.0.0.0): No Link (Waiting)
                slot 1: empty
        Other host: Primary - Active
                Active time: 461450 (sec)
                slot 0: ASA5510 hw/sw rev (2.0/7.2(2)) status (Up Sys)
                  Interface ISP1 (x.x.y.2): Normal (Not-Monitored)
                  Interface ISP2 (x.x.x.2): Normal (Not-Monitored)
                  Interface dmz (10.1.1.1): Normal
                  Interface ManNet1 (0.0.0.0): Unknown (Waiting)
                slot 1: empty

Stateful Failover Logical Update Statistics
        Link : State-LNK Ethernet0/3.95 (up)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         61514      0          3360103    6336
        sys cmd         61514      0          61514      0
        up time         0          0          0          0
        RPC services    0          0          0          0
        TCP conn        0          0          1805387    6004
        UDP conn        0          0          543652     332
        ARP tbl         0          0          940588     0
        Xlate_Timeout   0          0          0          0
        VPN IKE upd     0          0          5867       0
        VPN IPSEC upd   0          0          3095       0
        VPN CTCP upd    0          0          0          0
        VPN SDI upd     0          0          0          0
        VPN DHCP upd    0          0          0          0

        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       25      6989852
        Xmit Q:         0       1       61514



Primary/Active# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 195.188.122.1 to network 0.0.0.0

C    x.x.y.0 255.255.255.128 is directly connected, ISP1
C    x.x.x.0 255.255.255.128 is directly connected, ISP2
C    10.1.30.20 255.255.255.252 is directly connected, State-LNK
C    10.1.30.16 255.255.255.252 is directly connected, Fail-LNK
C    10.1.1.0 255.255.255.0 is directly connected, dmz
S*   0.0.0.0 0.0.0.0 [1/0] via x.x.y.1, ISP1
S    192.168.0.0 255.255.0.0 [1/0] via 10.1.1.7, dmz


Secondary/Standby# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 195.188.122.1 to network 0.0.0.0

C    x.x.y.0 255.255.255.128 is directly connected, ISP1
C    x.x.x.0 255.255.255.128 is directly connected, ISP2
C    10.1.30.20 255.255.255.252 is directly connected, State-LNK
C    10.1.30.16 255.255.255.252 is directly connected, Fail-LNK
C    10.1.1.0 255.255.255.0 is directly connected, dmz
S*   0.0.0.0 0.0.0.0 [1/0] via x.x.y.1, State-LNK
S    192.168.0.0 255.255.0.0 [1/0] via 10.1.1.7, dmz


Primary/Active# ping 4.2.2.2
OSSGDC101# ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 30/32/40 ms

Secondary/Standby# ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

 

[unclerico]

how long have you waited for the routing to stabilize once the units have failed over??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[colinrmgt]

Hi,

The routes only seem to stablize after I've done a write standby on the active ASA.

I'll continue to monitor the routes and will post when they change back.

It's very strange. I can't think why it would add a route over the failover interface!

Thanks,
Colin