Monitoring Static or Default Route on Cisco ASA Using SLA Monitor
So in this post I am going to cover a new topic from CCIE security version 4.0 Lab checklist.
Here the scenario is that Cisco ASA is connected to Two ISPs, ISP1 and ISP2 for example.
the link between ASA and ISP1 is up on ASA side and Down on ISP side.
Now if you have added a static route pointing to this ISP1 as default gateway. You are in trouble if something goes wrong on ISP site, may be the link on ISP side is down, but the link on your firewall is still up.
Now here one of the problem with static routes is that there is no inbuilt mechanism to determine if the default route is up or down. They default route remain in the routing table even if the next hop gateway i.e. ISP1 becomes unavailable.
This static routes is only removed from the routing table if the associated interface of the ASA itself goes down.
Hope the problem is clearly understood.
Well here I am looking out for a solution, where if the Primary Default gateway which is pointing to ISP1 as the next hop goes down, at this point if there is any backup route, the backup default route should be installed to the routing table and used.
Also when the primary default route is UP again, should be installed in the routing table and used.
The Cisco ASA implements this feature by associating a static route with a monitoring target that admin define, and this particular target is monitored using ICMP echo requests.
So lets say, you want to track DNS 4.2.2.2 as an object with the help of ICMP echo requests, If an echo reply is not received within a specified time period, the Tracking object is considered down and the associated route is removed from the routing table. i.e. the Primary route pointing to ISP1 as next-hop is removed.
Now there should be some backup route, this configured backup route is used in place of the removed primary route.
Well the admin must take care that the Object being tracked can respond to ICMP echo requests.
The target can be any network object that you choose, but you should consider using the following:
- The ISP gateway address
- The next hop gateway address (if you are concerned about the availability of the gateway)
- A server on the target network, such as a AAA server, that the ASA needs to communicate with
- A persistent network object on the destination network
Topology
Well this is the topology I am going to use for lab demonstration.
Configuration on Cisco ASA
ASA1(config)# show version
Cisco Adaptive Security Appliance Software Version 8.6(1)2
Device Manager Version 7.1(1)
Compiled on Fri 01-Jun-12 02:16 by builders
System image file is "disk0:/asa861-2-smp-k8.bin"
Config file at boot was "startup-config"
ASA1 up 4 hours 57 mins
Hardware: ASA5515, 8192 MB RAM, CPU Clarkdale 3058 MHz, 1 CPU (4 cores)
ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 4096MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB
Encryption hardware device : Cisco ASA-55xx on-board accelerator(revision 0x1)
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-PLUS-0014
IPSec microcode : CNPx-MC-IPSEC-MAIN-0014
Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4
----------- Output Omitted----------
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
IPS Module : Disabled perpetual
ASA1(config)# show bootvar
BOOT variable = disk0:/asa861-2-smp-k8.bin
Current BOOT variable = disk0:/asa861-2-smp-k8.bin
CONFIG_FILE variable =
int GigabitEthernet0/0
no shutdown
exi
!
interface GigabitEthernet0/1
no shutdown
exit
!
!
interface Redundant1
member-interface GigabitEthernet0/0
member-interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.11.11.10 255.255.255.0
exit
!
!
!
interface GigabitEthernet0/2
nameif ISP1
security-level 0
ip address 1.1.1.10 255.255.255.0
no shut
exit
!
interface GigabitEthernet0/3
nameif ISP2
security-level 0
ip address 2.1.1.10 255.255.255.0
no shut
exi
!
!
Guys I am leaving routing in this topology to you. In case you find any problem in routing, leave a comment, I will share the configuration file for this topology.
Well now lets configure SLA Monitor Parameters. Now here I want to track object 4.2.2.2 through ISP1 Interface of my ASA firewall. The ASA sends ICMP echo packets to 4.2.2.2 with source IP equal to ISP1 interface IP Address. If Echo-Reply is not received within the timout period. The backup route is installed in the routing table and used.
Now in the back end the ASA is still trying to reach the tracking object 4.2.2.2, and the moment echo-reply is received from 4.2.2.2, Primary route through ISP1 is again moved to Routing table and used.
sla monitor 5
!
Guys I am leaving routing in this topology to you. In case you find any problem in routing, leave a comment, I will share the configuration file for this topology.
Well now lets configure SLA Monitor Parameters. Now here I want to track object 4.2.2.2 through ISP1 Interface of my ASA firewall. The ASA sends ICMP echo packets to 4.2.2.2 with source IP equal to ISP1 interface IP Address. If Echo-Reply is not received within the timout period. The backup route is installed in the routing table and used.
Now in the back end the ASA is still trying to reach the tracking object 4.2.2.2, and the moment echo-reply is received from 4.2.2.2, Primary route through ISP1 is again moved to Routing table and used.
sla monitor 5
type echo protocol ipIcmpEcho 4.2.2.2 interface ISP1
timeout 700 < Timeout in seconds
frequency 3 < how frequently the packets should be send
num-packets 2 < Number of ICMP packets
exit
!
!Here basically scheduling is done for SLA monitoring which as per !this command will go on forever and the tracking of object 4.2.2.2 !starts now.
num-packets 2 < Number of ICMP packets
exit
!
!Here basically scheduling is done for SLA monitoring which as per !this command will go on forever and the tracking of object 4.2.2.2 !starts now.
sla monitor schedule 5 life forever start-time now
!
!
!Well next we create a track which will use SLA Monitor 5 For !Response Time Reporter(RTR) purpose.
!
track 1 rtr 5 reachability
!
!
!Finally bind the Track 1 to the Primary default Route, so the !object can be tracked through !ISP1 interface of the firewall.
!
!
!Finally bind the Track 1 to the Primary default Route, so the !object can be tracked through !ISP1 interface of the firewall.
!
route ISP1 0.0.0.0 0.0.0.0 1.1.1.2 1 track 1
route ISP2 0.0.0.0 0.0.0.0 2.1.1.3 2
!
!
!
Now When you check the routing table entry, you would see that the ASA is using ISP1 route.
!
ASA1(config)# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route
Gateway of last resort is 1.1.1.2 to network 0.0.0.0
C 1.1.1.0 255.255.255.0 is directly connected, ISP1
C 2.1.1.0 255.255.255.0 is directly connected, ISP2
C 10.11.11.0 255.255.255.0 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 1.1.1.2, ISP1
!
!
!
For the verification purpose I will go to Router R2 interface F0/1 which is not a directly connected interface between ASA and Router R2, rather F0/1 is the interface between R2 and R4(F0/0).
Now check the configuration given below. I shut down interface F0/1 of Router R2. which make the communication between ASA ISP1 interface (1.1.1.10) and R4 loopback (4.2.2.2) to fail, because in the path, on link is down.
Now check the configuration given below. I shut down interface F0/1 of Router R2. which make the communication between ASA ISP1 interface (1.1.1.10) and R4 loopback (4.2.2.2) to fail, because in the path, on link is down.
!
!
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#int f0/1
R2(config-if)#shutdown
*Mar 1 02:23:17.975: %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down
*Mar 1 02:23:18.975: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
R2(config-if)#
Once you have done the above configuration change you may go back to ASA console and check the routing table entry.
You would realize that as ASA isn`t able to track object 4.2.2.2 through the primary Default route, it brings in Backup Default Route to the routing table.
check the output given below -
ASA1(config)# show route
You would realize that as ASA isn`t able to track object 4.2.2.2 through the primary Default route, it brings in Backup Default Route to the routing table.
check the output given below -
ASA1(config)# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route
Gateway of last resort is 2.1.1.3 to network 0.0.0.0
C 1.1.1.0 255.255.255.0 is directly connected, ISP1
C 2.1.1.0 255.255.255.0 is directly connected, ISP2
C 10.11.11.0 255.255.255.0 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [2/0] via 2.1.1.3, ISP2
As I have mention above that ASA in the backend still tries to track the object, you may bring up the Interface F0/1 of router R2, which allows ASA to reach 4.2.2.2, As the object can now be reached, The ASA moves back the Primary Default Route to the Routing table.
This you can check by going back to ASA console and using show route command.
R2(config)#
R2(config)#int F0/1
R2(config-if)#no shutdown
*Mar 1 02:23:56.887: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Mar 1 02:23:57.887: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R2(config-if)#
ASA1(config)# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route
Gateway of last resort is 1.1.1.2 to network 0.0.0.0
C 1.1.1.0 255.255.255.0 is directly connected, ISP1
C 2.1.1.0 255.255.255.0 is directly connected, ISP2
C 10.11.11.0 255.255.255.0 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 1.1.1.2, ISP1
ASA1(config)# show sla monitor operational-state
Entry number: 5
Modification time: 09:59:21.554 UTC Wed Oct 21 2015
Number of Octets Used by this Entry: 1480
Number of operations attempted: 2042
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: FALSE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): 40
Latest operation start time: 11:41:24.561 UTC Wed Oct 21 2015
Latest operation return code: OK
RTT Values:
RTTAvg: 40 RTTMin: 40 RTTMax: 40
NumOfRTT: 1 RTTSum: 40 RTTSum2: 1600
Hope you guys could execute the lab and got the output.
If you face any issue with this lab, feel free to leave a comment.
Keep learning , Keep sharing
No comments:
Post a Comment