在ASA/FTD中配置和验证PPPoE冗余/高可用性
简介
本文档介绍在ASA或安全防火墙威胁防御(FTD)中配置和验证PPPoE冗余(高可用性或HA)。
先决条件
要求
基本的产品知识。
使用的组件
本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您的网络处于活动状态,请确保您了解所有命令的潜在影响。
本文档中的信息基于以下软件和硬件版本:
- 安全防火墙威胁防御(FTD)版本10.0.0,由安全防火墙管理中心(FMC)版本10.0.1管理。
- ASA 9.24.1 版.
背景信息
防火墙软件支持配置多个PPPoE会话。本文档考虑了两个PPPoE会话,并互换使用“HA”或“冗余”。
结合服务层协议(SLA),跟踪和带跟踪的路由用户可以配置不同的冗余模式:
- 具有负载共享的主用 — 主用冗余
- 具有负载共享和PPPoE客户端路由跟踪的主用 — 主用冗余
- 无负载共享的主用 — 备用冗余
请注意,对等设备上的路由配置不属于本文的范围。
具有负载共享的主用 — 主用冗余
请参阅以下示例拓扑:
具有负载共享的主用 — 主用冗余
关键点
- PPPoE在防火墙outside和outside2接口中配置。
- RTR1和RTR2是PPPoE服务器。
- 防火墙通过外部接口安装默认路由。通过outside2接口的默认路由具有更高的路由距离,也就是说,不太可取。
- 通过outside2接口安装通往特定子网的负载共享静态路由。路由将被跟踪。跟踪是可选的;但是,如果通过outside2接口的路径发生故障,它将通过outside接口提供到路径的快速故障切换。
- 为简单起见,动态端口地址转换(PAT)通过outside和outside2接口进行配置。
ASA 配置
interface GigabitEthernet0/0
nameif outside
security-level 0
pppoe client vpdn group RTR1
ip address pppoe setroute
interface GigabitEthernet0/1
nameif outside2
security-level 0
pppoe client vpdn group RTR2
pppoe client route distance 10
ip address pppoe setroute
vpdn group RTR1 request dialout pppoe
vpdn group RTR1 localname pppoe
vpdn group RTR1 ppp authentication pap
vpdn group RTR2 request dialout pppoe
vpdn group RTR2 localname pppoe
vpdn username pppoe password *****
sla monitor 1
type echo protocol ipIcmpEcho 172.16.1.1 interface outside2
num-packets 2
timeout 5
frequency 5
sla monitor schedule 1 life forever start-time now
track 1 rtr 1 reachability
object network net-192.168.1.0
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) source dynamic net-192.168.1.0 interface
nat (inside,outside2) source dynamic net-192.168.1.0 interface
route outside2 172.16.253.0 255.255.255.0 172.16.1.1 1 track 1
FTD配置
本部分仅介绍特定于FTD的PPPoE配置。以下是FTD上outside和outside2接口PPPoE配置的并排比较以及部署到数据平面的命令:
fmc UI上的外部PPPoE接口配置 
fmc UI上的outside2 PPPoE接口配置
带跟踪的静态路由:
带跟踪的静态路由
SLA监控器对象配置:
SLA配置
关键点
- RTR1和RTR2分别是G0/0和G0/1接口上的2个VPDN组。
- Track 1/SLA1跟踪到RTR2的可达性。track对象通过outside2接口用于静态路由配置。
- pppoe client route distance 10命令指示防火墙将管理距离10应用于从RTR2接收的默认路由,因此该命令不是首选路由。
- 通过outside2接口到特定子网的路由配置了跟踪。
- 因此,两个PPPoE会话都会变为活动状态,并且来自PC的流量会根据路由配置进行负载共享。
确认
- 通过外部接口与RTR1建立PPPoE会话:
firewall# show vpdn session pppoe state
PPPoE Session Information (Total tunnels=2 sessions=1)
SessID TunID Intf State Last Chg
23 5 outside2 PADI_SENT 225 secs
14 4 outside SESSION_UP 150 secs
firewall# show vpdn pppinterface
PPP virtual interface id = 1
PPP authentication protocol is PAP
Server ip address is 10.10.1.1
Our ip address is 10.10.1.10
Transmitted Pkts: 33, Received Pkts: 33, Error Pkts: 0
MPPE key strength is None
MPPE_Encrypt_Pkts: 0, MPPE_Encrypt_Bytes: 0
MPPE_Decrypt_Pkts: 0, MPPE_Decrypt_Bytes: 0
Rcvd_Out_Of_Seq_MPPE_Pkts: 0
PPP virtual interface id = 2 was deleted and pending reuse
firewall# show route
…
S* 0.0.0.0 0.0.0.0 [1/0] via 10.10.1.1, outside
C 192.168.1.0 255.255.255.0 is directly connected, inside
L 192.168.1.1 255.255.255.255 is directly connected, inside
系统日志:
Mar 15 2026 20:23:26: %ASA-6-305009: Built static translation from outside:0.0.0.0 to inside:0.0.0.0
Mar 15 2026 20:23:26: %ASA-6-603108: Built PPPOE Tunnel, tunnel_id = 4, remote_peer_ip = 10.10.1.1, ppp_virtual_interface_id = 1, client_dynamic_ip = 10.10.1.10, username = pppoe
Mar 15 2026 20:23:26: %ASA-6-317077: Added STATIC route 0.0.0.0 0.0.0.0 via 10.10.1.1 [1/0] on [outside] [G0/0] tableid [0
2.通过outside2接口建立与RTR2的PPPoE会话:
firewall# show vpdn session pppoe state
PPPoE Session Information (Total tunnels=2 sessions=2)
SessID TunID Intf State Last Chg
24 5 outside2 SESSION_UP 76 secs
14 4 outside SESSION_UP 349 secs
firewall# show vpdn pppinterface
PPP virtual interface id = 1
PPP authentication protocol is PAP
Server ip address is 10.10.1.1
Our ip address is 10.10.1.10
Transmitted Pkts: 67, Received Pkts: 67, Error Pkts: 0
MPPE key strength is None
MPPE_Encrypt_Pkts: 0, MPPE_Encrypt_Bytes: 0
MPPE_Decrypt_Pkts: 0, MPPE_Decrypt_Bytes: 0
Rcvd_Out_Of_Seq_MPPE_Pkts: 0
PPP virtual interface id = 2
PPP authentication protocol is PAP
Server ip address is 172.16.1.1
Our ip address is 172.16.1.10
Transmitted Pkts: 54, Received Pkts: 54, Error Pkts: 0
MPPE key strength is None
MPPE_Encrypt_Pkts: 0, MPPE_Encrypt_Bytes: 0
MPPE_Decrypt_Pkts: 0, MPPE_Decrypt_Bytes: 0
Rcvd_Out_Of_Seq_MPPE_Pkts: 0
firewall# show route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
…
S* 0.0.0.0 0.0.0.0 [1/0] via 10.10.1.1, outside
S 172.16.253.0 255.255.255.0 [1/0] via 172.16.1.1, outside2
C 192.168.1.0 255.255.255.0 is directly connected, inside
L 192.168.1.1 255.255.255.255 is directly connected, inside
系统日志:
Mar 15 2026 20:27:59: %ASA-6-317077: Added STATIC route 0.0.0.0 0.0.0.0 via 0.0.0.0 [10/0] on [outside2] [G0/1] tableid [0]
Mar 15 2026 20:27:59: %ASA-6-305009: Built static translation from outside2:0.0.0.0 to inside:0.0.0.0
Mar 15 2026 20:27:59: %ASA-6-603108: Built PPPOE Tunnel, tunnel_id = 5, remote_peer_ip = 172.16.1.1, ppp_virtual_interface_id = 2, client_dynamic_ip = 172.16.1.10, username = pppoe
Mar 15 2026 20:27:59: %ASA-6-305010: Teardown static translation from outside2:0.0.0.0 to inside:0.0.0.0 duration 0:06:08
Mar 15 2026 20:28:04: %ASA-6-622001: Adding tracked route 172.16.253.0 255.255.255.0 172.16.1.1, distance 1, table default, on interface outside2
Mar 15 2026 20:28:04: %ASA-6-317077: Added STATIC route 172.16.253.0 255.255.255.0 via 172.16.1.1 [1/0] on [outside2] [G0/1] tableid [0]
3.发送从PC IP地址192.168.1.2到10.10.253.2和172.16.253.2的数据包。由于PAT,捕获capo和capo2显示出口接口IP地址(映射地址):
Mar 14 2026 23:13:13: %ASA-6-305011: Built dynamic ICMP translation from inside:192.168.1.2/2668 to outside:10.10.1.10/2668
Mar 14 2026 23:13:19: %ASA-6-305011: Built dynamic ICMP translation from inside:192.168.1.2/2669 to outside2:172.16.1.10/2669
firewall# show cap
capture capo type raw-data interface outside [Capturing - 456 bytes]
match icmp any host 10.10.253.2
capture capo2 type raw-data interface outside2 [Capturing - 456 bytes]
match icmp any host 172.16.253.2
firewall# show cap capo
4 packets captured
1: 23:13:13.409387 10.10.1.10 > 10.10.253.2 icmp: echo request
2: 23:13:13.417764 10.10.253.2 > 10.10.1.10 icmp: echo reply
3: 23:13:14.409799 10.10.1.10 > 10.10.253.2 icmp: echo request
4: 23:13:14.415978 10.10.253.2 > 10.10.1.10 icmp: echo reply
4 packets shown
firewall# show cap capo2
4 packets captured
1: 23:13:19.500584 172.16.1.10 > 172.16.253.2 icmp: echo request
2: 23:13:19.506321 172.16.253.2 > 172.16.1.10 icmp: echo reply
3: 23:13:20.502201 172.16.1.10 > 172.16.253.2 icmp: echo request
4: 23:13:20.508076 172.16.253.2 > 172.16.1.10 icmp: echo reply
4.模拟RTR1上的远程链路故障。通过outside2接口故障切换到备用路径大约需要1分钟:
RTR1:
Mar 15 20:43:19.679: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to down
防火墙:
Mar 15 2026 20:44:17: %ASA-3-403503: PPPoE:PPP link down:
Mar 15 2026 20:44:17: %ASA-3-403503: PPPoE:PPP link down:Peer not responding
Mar 15 2026 20:44:17: %ASA-3-403503: PPPoE:PPP link down:
Mar 15 2026 20:44:17: %ASA-3-403503: PPPoE:PPP link down:LCP down
Mar 15 2026 20:44:17: %ASA-6-603109: Teardown PPPOE Tunnel, tunnel_id = 4, remote_peer_ip = 10.10.1.1
Mar 15 2026 20:44:17: %ASA-6-305009: Built static translation from outside:0.0.0.0 to inside:0.0.0.0
Mar 15 2026 20:44:17: %ASA-6-317078: Deleted STATIC route 0.0.0.0 0.0.0.0 via 10.10.1.1 [1/0] on [outside] [G0/0] tableid [0]
Mar 15 2026 20:44:17: %ASA-7-110007: Del Entry:0.0.0.0/0.0.0.0 nh:10.10.1.1 nh_cnt:1 flags:0 timestamp:147 resolver_cnt:0 ifcout:outside result:1 incr_ts:1 vrfid:65535
Mar 15 2026 20:44:17: %ASA-6-317077: Added STATIC route 0.0.0.0 0.0.0.0 via 172.16.1.1 [10/0] on [outside2] [G0/1] tableid [0]
Mar 15 2026 20:44:17: %ASA-7-110006: Add Entry:0.0.0.0/0.0.0.0 nh:172.16.1.1 nh_cnt:1 flags:0 timestamp:151 resolver_cnt:0 ifcout:outside2 vrfid:1644313584 handle:103727 table:output route
Mar 15 2026 20:44:17: %ASA-6-305010: Teardown static translation from outside:0.0.0.0 to inside:0.0.0.0 duration 0:02:45
firewall# show route
…
S* 0.0.0.0 0.0.0.0 [10/0] via 172.16.1.1, outside2
带有负载共享和PPPoE客户端路由跟踪的主用 — 主用冗余
此情况基于带负载共享的主用 — 主用冗余,并且还需要使用FlexConfig在外部接口下部署额外的track和pppoe client route track x命令。
请参阅以下示例拓扑:
带有负载共享和PPPoE客户端路由跟踪的主用 — 主用冗余
关键点
- PPPoE在防火墙outside和outside2接口中配置。
- RTR1和RTR2是PPPoE服务器。
- 使用route-distance,防火墙通过outside接口安装默认路由。通过outside2接口的默认路由具有更高的路由距离,并且优先级别较低。
- 跟踪通过外部接口到RTR1的默认路由。它是可选的,但取决于SLA频率和超时值,它可提供通过RTR2到路径的更快速故障切换。
- 通过outside2接口安装通往特定子网的负载共享静态路由。路由将被跟踪。跟踪是可选的;但是,它提供了通过RTR1到路径的更快的故障切换。
- 为简单起见,动态端口地址转换(PAT)通过outside和outside2接口进行配置。
ASA 配置
interface GigabitEthernet0/0
nameif outside
security-level 0
pppoe client vpdn group RTR1
pppoe client route track 2
ip address pppoe setroute
interface GigabitEthernet0/1
nameif outside2
security-level 0
pppoe client vpdn group RTR2
pppoe client route distance 10
ip address pppoe setroute
vpdn group RTR1 request dialout pppoe
vpdn group RTR1 localname pppoe
vpdn group RTR1 ppp authentication pap
vpdn group RTR2 request dialout pppoe
vpdn group RTR2 localname pppoe
vpdn username pppoe password *****
sla monitor 2
type echo protocol ipIcmpEcho 10.10.1.1 interface outside
num-packets 2
timeout 5
frequency 5
sla monitor schedule 2 life forever start-time now
sla monitor 1
type echo protocol ipIcmpEcho 172.16.1.1 interface outside2
num-packets 2
timeout 5
frequency 5
sla monitor schedule 1 life forever start-time now
track 1 rtr 1 reachability
track 2 rtr 2 reachability
object network net-192.168.1.0
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) source dynamic net-192.168.1.0 interface
nat (inside,outside2) source dynamic net-192.168.1.0 interface
route outside2 172.16.253.0 255.255.255.0 172.16.1.1 1 track 1
FTD配置
本部分仅介绍特定于FTD的PPPoE配置。配置步骤与“带负载共享的主用 — 主用冗余”部分中的FTD配置相同,同时在外部接口下增加了pppoe client route track x命令。由于FMC UI本身不支持客户端选项的跟踪,因此必须使用FlexConfig。
确保考虑以下几点:
1. FlexConfig策略有意不包含广泛的输入验证。必须确保此FlexConfig策略中的配置正确。不正确的配置会导致部署失败,从而造成网络中断。此外,请考虑隔离部署,使其仅包括FlexConfig更改,而不包括其他策略更新。
2.在部署过程中,FMC会删除任何路径x..命令。对于持久性,您必须将FlexConfig对象的部署设置为Everytime,并在单独的FlexConfig对象中部署。
FlexConfig配置步骤
1.为外部接口的SLA和PPPoE客户端配置配置创建FlexConfig对象。确保将Deployment设置为Once,将Type设置为Append。在本示例中,使用了跟踪2、SLA 2。请注意,缺少track 2 rtr 2 reachability命令:
SLA的FlexConfig
2.创建另一个FlexConfig对象以配置track 2 rtr 2 reachability命令。确保将Deployment设置为Everytime,并将Type设置为Append:
用于跟踪的FlexConfig
3.将对象添加到FlexConfig策略。确保在底部(最后)使用track 2 rtr 2 reachability命令的对象,并部署策略:
FlexConfig策略
关键点
- RTR1和RTR2分别是G0/0和G0/1接口上的2个VPDN组。
- Track 2/SLA2跟踪到RTR1的可达性。pppoe client route track 2命令指示防火墙在跟踪2启用时通过外部接口安装默认路由。
- Track 1/SLA1跟踪到RTR2的可达性。track对象通过outside2接口用于静态路由配置。
- pppoe client route distance 10命令指示防火墙将管理距离10应用到从RTR2接收的默认路由,因此该管理距离不是首选值。
- 通过outside2接口到特定子网的路由配置了跟踪。
- 因此,两个PPPoE会话都会变为活动状态,并且来自PC的流量会根据路由配置进行负载共享。
确认
1.通过外部接口与RTR1建立PPPoE会话:
firewall# show vpdn session pppoe state
PPPoE Session Information (Total tunnels=2 sessions=1)
SessID TunID Intf State Last Chg
12 3 outside SESSION_UP 80 secs
12 4 outside2 PADI_SENT 74 secs
firewall# show vpdn pppinterface
PPP virtual interface id = 1
PPP authentication protocol is PAP
Server ip address is 10.10.1.1
Our ip address is 10.10.1.10
Transmitted Pkts: 71, Received Pkts: 71, Error Pkts: 0
MPPE key strength is None
MPPE_Encrypt_Pkts: 0, MPPE_Encrypt_Bytes: 0
MPPE_Decrypt_Pkts: 0, MPPE_Decrypt_Bytes: 0
Rcvd_Out_Of_Seq_MPPE_Pkts: 0
PPP virtual interface id = 2 was deleted and pending reuse
firewall# show route
…
S* 0.0.0.0 0.0.0.0 [1/0] via 10.10.1.1, outside
C 192.168.1.0 255.255.255.0 is directly connected, inside
L 192.168.1.1 255.255.255.255 is directly connected, inside
系统日志:
Mar 14 2026 22:54:46: %ASA-4-411001: Line protocol on Interface GigabitEthernet0/0, changed state to up
Mar 14 2026 22:54:50: %ASA-6-305009: Built static translation from outside:0.0.0.0 to inside:0.0.0.0
Mar 14 2026 22:54:50: %ASA-6-603108: Built PPPOE Tunnel, tunnel_id = 3, remote_peer_ip = 10.10.1.1, ppp_virtual_interface_id = 1, client_dynamic_ip = 10.10.1.10, username = pppoe
Mar 14 2026 22:54:51: %ASA-6-305010: Teardown static translation from outside:0.0.0.0 to inside:0.0.0.0 duration 0:00:25
Mar 14 2026 22:54:52: %ASA-6-622001: Adding tracked route 0.0.0.0 0.0.0.0 10.10.1.1, distance 1, table default, on interface outside
Mar 14 2026 22:54:52: %ASA-6-317077: Added STATIC route 0.0.0.0 0.0.0.0 via 10.10.1.1 [1/0] on [outside] [Gi0/0] tableid [0]
Mar 14 2026 22:54:52: %ASA-7-110006: Add Entry:0.0.0.0/0.0.0.0 nh:10.10.1.1 nh_cnt:1 flags:0 timestamp:328 resolver_cnt:0 ifcout:outside vrfid:0 handle:444749 table:output route
2.通过outside2接口建立与RTR2的PPPoE会话:
firewall# show vpdn session pppoe state
PPPoE Session Information (Total tunnels=2 sessions=2)
SessID TunID Intf State Last Chg
12 3 outside SESSION_UP 412 secs
13 4 outside2 SESSION_UP 89 secs
firewall# show vpdn pppinterface
PPP virtual interface id = 1
PPP authentication protocol is PAP
Server ip address is 10.10.1.1
Our ip address is 10.10.1.10
Transmitted Pkts: 238, Received Pkts: 238, Error Pkts: 0
MPPE key strength is None
MPPE_Encrypt_Pkts: 0, MPPE_Encrypt_Bytes: 0
MPPE_Decrypt_Pkts: 0, MPPE_Decrypt_Bytes: 0
Rcvd_Out_Of_Seq_MPPE_Pkts: 0
PPP virtual interface id = 2
PPP authentication protocol is PAP
Server ip address is 172.16.1.1
Our ip address is 172.16.1.10
Transmitted Pkts: 56, Received Pkts: 56, Error Pkts: 0
MPPE key strength is None
MPPE_Encrypt_Pkts: 0, MPPE_Encrypt_Bytes: 0
MPPE_Decrypt_Pkts: 0, MPPE_Decrypt_Bytes: 0
Rcvd_Out_Of_Seq_MPPE_Pkts: 0
firewall# show route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
SI - Static InterVRF, BI - BGP InterVRF
Gateway of last resort is 10.10.1.1 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 10.10.1.1, outside
C 192.168.1.0 255.255.255.0 is directly connected, inside
L 192.168.1.1 255.255.255.255 is directly connected, inside
S 172.16.253.0 255.255.255.0 [1/0] via 172.16.1.1, outside2
系统日志:
Mar 14 2026 22:59:45: %ASA-4-411001: Line protocol on Interface GigabitEthernet0/1, changed state to up
Mar 14 2026 23:00:13: %ASA-6-603108: Built PPPOE Tunnel, tunnel_id = 4, remote_peer_ip = 172.16.1.1, ppp_virtual_interface_id = 2, client_dynamic_ip = 172.16.1.10, username = pppoe
Mar 14 2026 23:00:14: %ASA-6-305010: Teardown static translation from outside2:0.0.0.0 to inside:0.0.0.0 duration 0:25:25
Mar 14 2026 23:00:18: %ASA-6-622001: Adding tracked route 172.16.253.0 255.255.255.0 172.16.1.1, distance 1, table default, on interface outside2
Mar 14 2026 23:00:18: %ASA-6-317077: Added STATIC route 172.16.253.0 255.255.255.0 via 172.16.1.1 [1/0] on [outside2] [Gi0/1] tableid [0]
Mar 14 2026 23:00:18: %ASA-7-110006: Add Entry:172.16.253.0/255.255.255.0 nh:172.16.1.1 nh_cnt:1 flags:0 timestamp:339 resolver_cnt:0 ifcout:outside2 vrfid:0 handle:458877 table:output route
3.发送从PC IP地址192.168.1.2到10.10.253.2和172.16.253.2的数据包。由于PAT,capo和capo2显示出口接口IP地址(映射地址):
Mar 14 2026 23:13:13: %ASA-6-305011: Built dynamic ICMP translation from inside:192.168.1.2/2668 to outside:10.10.1.10/2668
Mar 14 2026 23:13:19: %ASA-6-305011: Built dynamic ICMP translation from inside:192.168.1.2/2669 to outside2:172.16.1.10/2669
firewall# show cap
capture capo type raw-data interface outside [Capturing - 456 bytes]
match icmp any host 10.10.253.2
capture capo2 type raw-data interface outside2 [Capturing - 456 bytes]
match icmp any host 172.16.253.2
firewall# show cap capo
4 packets captured
1: 23:13:13.409387 10.10.1.10 > 10.10.253.2 icmp: echo request
2: 23:13:13.417764 10.10.253.2 > 10.10.1.10 icmp: echo reply
3: 23:13:14.409799 10.10.1.10 > 10.10.253.2 icmp: echo request
4: 23:13:14.415978 10.10.253.2 > 10.10.1.10 icmp: echo reply
4 packets shown
firewall# show cap capo2
4 packets captured
1: 23:13:19.500584 172.16.1.10 > 172.16.253.2 icmp: echo request
2: 23:13:19.506321 172.16.253.2 > 172.16.1.10 icmp: echo reply
3: 23:13:20.502201 172.16.1.10 > 172.16.253.2 icmp: echo request
4: 23:13:20.508076 172.16.253.2 > 172.16.1.10 icmp: echo reply
4.模拟RTR1上的远程链路故障。通过outside2接口故障切换到备用路径取决于track1的计时器:
RTR1:
Mar 15 21:06:11.608: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet0/0/0, changed state to down
防火墙:
Mar 15 2026 21:06:14: %ASA-3-317012: Interface IP route counter negative - Ethernet1/2
Mar 15 2026 21:06:14: %ASA-6-622001: Removing tracked route 0.0.0.0 0.0.0.0 10.10.1.1, distance 1, table default, on interface outside
Mar 15 2026 21:06:14: %ASA-6-317078: Deleted STATIC route 0.0.0.0 0.0.0.0 via 10.10.1.1 [1/0] on [outside] [E1/2] tableid [0]
Mar 15 2026 21:06:14: %ASA-7-110007: Del Entry:0.0.0.0/0.0.0.0 nh:10.10.1.1 nh_cnt:1 flags:0 timestamp:199 resolver_cnt:0 ifcout:outside result:1 incr_ts:1 vrfid:0
Mar 15 2026 21:06:14: %ASA-6-317077: Added STATIC route 0.0.0.0 0.0.0.0 via 172.16.1.1 [10/0] on [outside2] [E1/3] tableid [0]
Mar 15 2026 21:06:14: %ASA-7-110006: Add Entry:0.0.0.0/0.0.0.0 nh:172.16.1.1 nh_cnt:1 flags:0 timestamp:203 resolver_cnt:0 ifcout:outside2 vrfid:1512689936 handle:117182335 table:output route
KSEC-CSF1210-1# show route
…
S* 0.0.0.0 0.0.0.0 [10/0] via 172.16.1.1, outside2
注意:
路由更改不会应用于现有连接。因此,即使有更好的路径可用,现有连接仍继续使用“旧”路径。实际上,这可能在路由更改后造成影响。要指示防火墙使用新路径,请考虑启用浮动连接计时器。 如果启用浮动连接超时并将其设置为非零值,则如果有更好的路由可用,则此超时允许连接关闭,以便可以重新建立连接以使用更好的路由。请参阅https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/T-Z/asa-command-ref-T-Z/m_ta-tk.html中浮动连接的说明。
无负载共享的主用 — 备用冗余
在这种情况下,只有1个PPPoE会话处于活动状态,另一个会话处于非活动状态,直到活动会话的跟踪关闭。
命令pppoe client secondary track x用于outside2(backup)接口。
请参阅以下示例拓扑:
活动备用拓扑
关键点
- PPPoE在防火墙G0/0和G0/1接口上配置。
- RTR1和RTR2是PPPoE服务器。
- 使用route-distance,防火墙通过outside接口安装到RTR1的默认路由。通向RTR2的默认路由具有更高的路由距离,其优先级较低。
- 跟踪通过外部接口到RTR1的默认路由。它是可选的,但通过RTR2提供到路径的更快的故障切换。
- 仅当用于通过外部接口到RTR1的默认路由的路径关闭时,才会建立通过outside2接口到RTR2的PPPoE会话。
- 在给定的时间内,只有1个PPPoE会话处于活动状态。
- 为简单起见,动态端口地址转换(PAT)通过outside和outside2接口进行配置。
ASA 配置
interface GigabitEthernet0/0
nameif outside
security-level 0
pppoe client vpdn group RTR1
pppoe client route track 2
ip address pppoe setroute
interface GigabitEthernet0/1
nameif outside2
security-level 0
pppoe client vpdn group RTR2
pppoe client route distance 10
pppoe client secondary track 2
ip address pppoe setroute
vpdn group RTR1 request dialout pppoe
vpdn group RTR1 localname pppoe
vpdn group RTR1 ppp authentication pap
vpdn group RTR2 request dialout pppoe
vpdn group RTR2 localname pppoe
vpdn username pppoe password *****
sla monitor 2
type echo protocol ipIcmpEcho 10.10.1.1 interface outside
num-packets 2
timeout 5
frequency 5
sla monitor schedule 2 life forever start-time now
track 2 rtr 2 reachability
object network net-192.168.1.0
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) source dynamic net-192.168.1.0 interface
nat (inside,outside2) source dynamic net-192.168.1.0 interface
FTD配置
本节介绍如何为outside2(备份)接口配置pppoe client secondary track x命令。由于FMC UI本身不支持客户端选项的跟踪,因此必须使用FlexConfig。
您必须确保配置其余配置,包括PPPoE配置、路由等。
确保考虑以下几点:
- FlexConfig策略有意不包含广泛的输入验证。必须确保此FlexConfig策略中的配置正确。不正确的配置会导致部署失败,从而造成网络中断。此外,请考虑隔离部署,使其仅包括FlexConfig更改,而不包括其他策略更新。
- 在部署过程中,FMC会删除任何跟踪x。命令。对于持久性,您必须将FlexConfig对象的部署设置为Everytime,并在单独的FlexConfig对象中部署。
FlexConfig配置步骤
1.创建FlexConfig对象以配置outside2(备份)接口的SLA和PPPoE客户端配置。确保将Deployment设置为Once,将Type设置为Append。在本示例中,使用了跟踪2、SLA 2。请注意,缺少track 2 rtr 2 reachability命令:
SLA的FlexConfig
2.创建另一个FlexConfig对象以配置track 2 rtr 2 reachability命令。确保将Deployment设置为Everytime,并将Type设置为Append:
用于跟踪的FlexConfig
3.将对象添加到FlexConfig策略。确保在底部(最后)使用track 2 rtr 2 reachability命令的对象,并部署策略:
FlexConfig策略
关键点
- G0/1接口下的pppoe client secondary track 2命令指示防火墙仅在跟踪2发生故障时通过G0/1接口激活PPPoE会话。跟踪通过主路径的可达性的跟踪2的故障会激活备用路径。
- 因此,在给定时间只有1个PPPoE会话处于活动状态。
确认
1.已建立通过外部接口与RTR1的PPPoE会话。备份会话处于空闲状态:
firewall# show vpdn session pppoe state
PPPoE Session Information (Total tunnels=1 sessions=1)
SessID TunID Intf State Last Chg
13 3 outside SESSION_UP 72 secs
firewall# show vpdn pppinterface
PPP virtual interface id = 1
PPP authentication protocol is PAP
Server ip address is 10.10.1.1
Our ip address is 10.10.1.10
Transmitted Pkts: 60, Received Pkts: 60, Error Pkts: 0
MPPE key strength is None
MPPE_Encrypt_Pkts: 0, MPPE_Encrypt_Bytes: 0
MPPE_Decrypt_Pkts: 0, MPPE_Decrypt_Bytes: 0
Rcvd_Out_Of_Seq_MPPE_Pkts: 0
PPP virtual interface id = 2 was deleted and pending reuse
2.通过外部接口到RTR1的PPPoE会话失败(例如,由于物理接口或链路故障)。 通过outside2接口建立到RTR2的PPPoE会话。
系统日志:
Mar 14 2026 23:40:50: %ASA-3-403503: PPPoE:PPP link down:Peer not responding
Mar 14 2026 23:40:50: %ASA-3-403503: PPPoE:PPP link down:
Mar 14 2026 23:40:50: %ASA-3-403503: PPPoE:PPP link down:LCP down
Mar 14 2026 23:40:50: %ASA-6-603109: Teardown PPPOE Tunnel, tunnel_id = 3, remote_peer_ip = 10.10.1.1
Mar 14 2026 23:40:50: %ASA-6-305009: Built static translation from outside:0.0.0.0 to inside:0.0.0.0
Mar 14 2026 23:39:44: %ASA-4-411002: Line protocol on Interface GigabitEthernet0/0, changed state to down
Mar 14 2026 23:39:44: %ASA-7-713906: IKE Receiver: Interface 3(outside) going down
Mar 14 2026 23:39:44: %ASA-3-317012: Interface IP route counter negative - GigabitEthernet0/0
Mar 14 2026 23:39:44: %ASA-6-317078: Deleted STATIC route 0.0.0.0 0.0.0.0 via 10.10.1.1 [1/0] on [outside] [Gi0/0] tableid [0]
Mar 14 2026 23:39:44: %ASA-7-110007: Del Entry:0.0.0.0/0.0.0.0 nh:10.10.1.1 nh_cnt:1 flags:0 timestamp:451 resolver_cnt:0 ifcout:outside result:1 incr_ts:1 vrfid:0
Mar 14 2026 23:39:48: %ASA-6-622001: Removing tracked route 0.0.0.0 0.0.0.0 10.10.1.1, distance 1, table default, on interface outside
Mar 14 2026 23:39:48: %ASA-6-305009: Built static translation from outside2:0.0.0.0 to inside:0.0.0.0
Mar 14 2026 23:39:48: %ASA-6-603108: Built PPPOE Tunnel, tunnel_id = 4, remote_peer_ip = 172.16.1.1, ppp_virtual_interface_id = 2, client_dynamic_ip = 172.16.1.10, username = pppoe
Mar 14 2026 23:39:48: %ASA-6-317078: Deleted CONNECTED route 172.16.1.10 255.255.255.255 via 0.0.0.0 [0/0] on [outside2] [Gi0/1] tableid [0]
Mar 14 2026 23:39:48: %ASA-6-317077: Added STATIC route 0.0.0.0 0.0.0.0 via 172.16.1.1 [10/0] on [outside2] [Gi0/1] tableid [0]
Mar 14 2026 23:39:48: %ASA-7-110006: Add Entry:0.0.0.0/0.0.0.0 nh:172.16.1.1 nh_cnt:1 flags:0 timestamp:459 resolver_cnt:0 ifcout:outside2 vrfid:0 handle:610419 table:output route
firewall# show vpdn session pppoe state
PPPoE Session Information (Total tunnels=2 sessions=1)
SessID TunID Intf State Last Chg
13 3 outside PADI_SENT 0 secs
14 4 outside2 SESSION_UP 82 secs
firewall# show vpdn pppinterface
PPP virtual interface id = 1 was deleted and pending reuse
PPP virtual interface id = 2
PPP authentication protocol is PAP
Server ip address is 172.16.1.1
Our ip address is 172.16.1.10
Transmitted Pkts: 56, Received Pkts: 56, Error Pkts: 0
MPPE key strength is None
MPPE_Encrypt_Pkts: 0, MPPE_Encrypt_Bytes: 0
MPPE_Decrypt_Pkts: 0, MPPE_Decrypt_Bytes: 0
Rcvd_Out_Of_Seq_MPPE_Pkts: 0
firewall# show route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
SI - Static InterVRF, BI - BGP InterVRF
Gateway of last resort is 172.16.1.1 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [10/0] via 172.16.1.1, outside2
S 172.16.253.0 255.255.255.0 [1/0] via 172.16.1.1, outside2
C 192.168.1.0 255.255.255.0 is directly connected, inside
L 192.168.1.1 255.255.255.255 is directly connected, inside
3.发送从PC IP地址192.168.1.2到10.10.253.2和172.16.253.2的数据包。由于主路径失败,所有数据包都通过outside2接口发送。此外,由于PAT,capo2 capo显示出口接口IP地址(映射地址):
Mar 14 2026 23:46:07: %ASA-6-305011: Built dynamic ICMP translation from inside:192.168.1.2/2677 to outside2:172.16.1.10/2677
Mar 14 2026 23:46:09: %ASA-6-305011: Built dynamic ICMP translation from inside:192.168.1.2/2678 to outside2:172.16.1.10/2678
firewall# show cap
capture capo type raw-data interface outside [Capturing - 0 bytes]
match icmp any host 10.10.253.2
capture capo2 type raw-data interface outside2 [Capturing - 912 bytes]
match icmp any host 172.16.253.2
match icmp any host 10.10.253.2
firewall# show cap capo2
8 packets captured
1: 23:46:07.533694 172.16.1.10 > 172.16.253.2 icmp: echo request
2: 23:46:07.541842 172.16.253.2 > 172.16.1.10 icmp: echo reply
3: 23:46:08.534075 172.16.1.10 > 172.16.253.2 icmp: echo request
4: 23:46:08.540621 172.16.253.2 > 172.16.1.10 icmp: echo reply
5: 23:46:09.773031 172.16.1.10 > 10.10.253.2 icmp: echo request
6: 23:46:09.780034 10.10.253.2 > 172.16.1.10 icmp: echo reply
7: 23:46:10.773946 172.16.1.10 > 10.10.253.2 icmp: echo request
8: 23:46:10.778569 10.10.253.2 > 172.16.1.10 icmp: echo reply
4.恢复通过外部接口的路径,重新建立到RTR1的PPPoE会话。通过outside2接口的会话转换到挂起的重复使用状态:
firewall# show vpdn session pppoe state
PPPoE Session Information (Total tunnels=1 sessions=1)
SessID TunID Intf State Last Chg
17 3 outside SESSION_UP 89 secs
firewall# show vpdn pppinterface
PPP virtual interface id = 1
PPP authentication protocol is PAP
Server ip address is 10.10.1.1
Our ip address is 10.10.1.10
Transmitted Pkts: 58, Received Pkts: 58, Error Pkts: 0
MPPE key strength is None
MPPE_Encrypt_Pkts: 0, MPPE_Encrypt_Bytes: 0
MPPE_Decrypt_Pkts: 0, MPPE_Decrypt_Bytes: 0
Rcvd_Out_Of_Seq_MPPE_Pkts: 0
PPP virtual interface id = 2 was deleted and pending reuse
firewall# show route
...
S* 0.0.0.0 0.0.0.0 [1/0] via 10.10.1.1, outside
C 192.168.1.0 255.255.255.0 is directly connected, inside
L 192.168.1.1 255.255.255.255 is directly connected, inside
系统日志:
Mar 15 2026 00:04:36: %ASA-4-411001: Line protocol on Interface GigabitEthernet0/0, changed state to up
Mar 15 2026 00:05:27: %ASA-6-603108: Built PPPOE Tunnel, tunnel_id = 3, remote_peer_ip = 10.10.1.1, ppp_virtual_interface_id = 1, client_dynamic_ip = 10.10.1.10, username = pppoe
Mar 15 2026 00:05:35: %ASA-6-622001: Adding tracked route 0.0.0.0 0.0.0.0 10.10.1.1, distance 1, table default, on interface outside
Mar 15 2026 00:05:35: %ASA-6-603109: Teardown PPPOE Tunnel, tunnel_id = 4, remote_peer_ip = 172.16.1.1
Mar 15 2026 00:05:40: %ASA-6-622001: Removing tracked route 172.16.253.0 255.255.255.0 172.16.1.1, distance 1, table default, on interface outside2
Mar 15 2026 00:05:40: %ASA-6-317078: Deleted STATIC route 172.16.253.0 255.255.255.0 via 172.16.1.1 [1/0] on [outside2] [Gi0/1] tableid [0]
5.从PC IP地址192.168.1.2到10.10.253.2和172.16.253.2的数据包通过outside接口(主路径)发送,此外,由于PAT,capture capo显示出口接口IP地址(映射地址):
Mar 15 2026 00:17:27: %ASA-6-305011: Built dynamic ICMP translation from inside:192.168.1.2/2685 to outside:10.10.1.10/2685
Mar 15 2026 00:17:29: %ASA-6-305011: Built dynamic ICMP translation from inside:192.168.1.2/2686 to outside:10.10.1.10/2686
firewall# show capture
capture capo type raw-data interface outside [Capturing - 912 bytes]
match icmp any host 10.10.253.2
match icmp any host 172.16.253.2
capture capo2 type raw-data interface outside2 [Capturing - 0 bytes]
match icmp any host 172.16.253.2
match icmp any host 10.10.253.2
firewall# show capture capo
8 packets captured
1: 00:17:27.680247 10.10.1.10 > 10.10.253.2 icmp: echo request
2: 00:17:27.688761 10.10.253.2 > 10.10.1.10 icmp: echo reply
3: 00:17:28.680415 10.10.1.10 > 10.10.253.2 icmp: echo request
4: 00:17:28.683405 10.10.253.2 > 10.10.1.10 icmp: echo reply
5: 00:17:29.732673 10.10.1.10 > 172.16.253.2 icmp: echo request
6: 00:17:29.739799 172.16.253.2 > 10.10.1.10 icmp: echo reply
7: 00:17:30.732979 10.10.1.10 > 172.16.253.2 icmp: echo request
8: 00:17:30.736656 172.16.253.2 > 10.10.1.10 icmp: echo reply
8 packets shown
注意:
路由更改不会应用于现有连接。因此,即使有更好的路径可用,现有连接仍继续使用“旧”路径。实际上,这可能在路由更改后造成影响。要指示防火墙使用新路径,请考虑启用浮动连接计时器。 如果启用浮动连接超时(即设置为非零值),则如果有更好的路由可用,则此超时允许连接关闭,以便可以重新建立连接以使用更好的路由。请参阅https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/T-Z/asa-command-ref-T-Z/m_ta-tk.html中浮动连接的说明。
如何删除或否定使用FlexConfig部署的命令?
如果要删除或取消由FlexConfig部署的配置,则必须执行以下步骤:
- 按此顺序使用否定命令创建FlexConfig,并确保将Type设置为Prepend:
- 删除对跟踪对象的引用
- 删除跟踪对象
- 删除SLA对象
删除使用负载共享和PPPoE客户端路由跟踪的主用 — 主用冗余配置的示例:
Flexonfig移除1
删除用于无负载共享的主用 — 备用冗余的配置的示例:
Flexonfig移除2
2.将在步骤1中创建的否定对象添加到FlexConfig策略中。确保用于添加PPPoE命令的对象已删除,并且不在策略中:
FlexConfig删除策略
3.在CLI中部署策略并验证命令的删除。
4.从FlexConfig策略中删除在第1步创建的否定对象并重新部署。
参考
- Cisco Bug ID CSCwt39430
“增强:在FMC UI上支持FTD接口DHCP/PPPoE客户端配置命令和子命令”
修订历史记录
| 版本 | 发布日期 | 备注 |
|---|---|---|
1.0 |
17-Mar-2026
|
初始版本 |
反馈