The Cisco ASA firewalls have offered “Route Tracking” (or Dual-ISP as it’s sometimes called) for many years now. But it doesn’t really work all that well – it can only ping one IP (Internet Protocol) without much configuration. If you make that IP too “close” to your firewall it might not failover from your primary Internet connection to your backup Internet connection even if the entire Internet is unreachable. And if you rely on a public IP you can get false positives and have your ASA failover to a backup Internet connection when just a few packets were lost and your primary connection isn’t really down.
Here is a way to get Route Tracking to work with multiple IP’s to ping:
- route outside 0.0.0.0 128.0.0.0 <primary gateway> 1 track 100
- route outside 128.0.0.0 128.0.0.0 <primary gateway> 1 track 100
- route outside 0.0.0.0 0.0.0.0 <primary gateway> 2 track 101
- route outside-failover 0.0.0.0 0.0.0.0 <backup gateway> 254
- track 100 rtr 100 reachability
- track 101 rtr 101 reachability
- sla monitor 100
- type echo protocol ipIcmpEcho 208.67.222.222 interface outside
- sla monitor 101
- type echo protocol ipIcmpEcho 8.8.8.8 interface outside
- sla monitor schedule 100 life forever start-time now
- sla monitor schedule 101 life forever start-time now
This way both 208.67.222.222 (OpenDNS) and 8.8.8.8 (Google DNS) have to be unreachable for the failover to occur from the primary Internet connection to the backup Internet connection. You could even expand this out from pinging two Internet IP’s to four. Or using it to have more than one backup Internet connections for a failover of ISP 1 (maybe Fiber) to ISP 2 (for example cable) to ISP 3 (a Cradlepoint router using LTE/4G).
An even better option would be to configure two Raspberry Pi’s (small credit-card sized computer device) in a cluster on the outside network of the ASA for the ASA to track with the SLA command. Then those Raspberry Pi’s can be configured so that they can ping any number of hosts and also connect to any number of web sites before signaling the ASA to failover to the backup Internet connection. This gives much more control over the failover process than just simple pings – even with the multiple pings allowed by the ASA configuration above. And the redundant Raspberry Pi’s means that even if one fails the ASA route tracking continues to work properly. (Note: You need either one extra static public IP for a single external Raspberry Pi or three extra static public IP’s for a cluster of Pi’s.)
We’ll be glad to configure Raspberry Pi’s in this kind of cluster and assist with your ASA configuration.
Please contact us for more information by clicking below: