Cisco ASA WAN Failover IP SLA- Guide

We will proceed assuming 

you already configured the ASA with the primary link

Configured the WAN2 on a port with the static IP or DHCP depending on the connection - you should be able to ping the secondary WAN link gateway from the ASA

Note:
Please remove the existing Static Route for the primary WAN link

Configure Route tracking

ASA(config)# route outside 0.0.0.0 0.0.0.0 <ISP 1(WAN1) Gateway> 1 track 1
ASA(config)# route Backup_Wan 0.0.0.0 0.0.0.0 <ISP 2 (WAN2) Gateway> 254

Now lets break it down

Line 01 -  you add the WAN1 route with a administrative distance of 1 and we also include the track 1 statement for the SLA monitor tracking (See below)

Line 02 - with the second line we add the default route for the BackupWan link with a higher administrative distance to make it the secondary link

Examples 

ASA(config)# route outside  0.0.0.0 0.0.0.0 100.100.100.10 1 track 1
ASA(config)# route Backup_Wan  0.0.0.0 0.0.0.0 200.200.200.10 254

Setup SLA monitoring and Route tracking 

ASA(config)# sla monitor 10

Configure the SLA monitor with ID 10

ASA(config-sla-monitor)# type echo protocol ipIcmpEcho 8.8.8.8 interface outside

Configure the monitoring protocol, the target IP for the probe and the interface use

SLA monitor will keep probing the IP we define here and report if its unreachable via the given interface
In this senario im using 8.8.8.8 as the target IP you can use any public IP for monitoring

ASA(config-sla-monitor-echo)# num-packets 4

Number of packets sent to the probe

ASA(config-sla-monitor-echo)# timeout 1000

Timeout value in milliseconds. if you have a slow link as the primary increase the time out accordingly

ASA(config-sla-monitor-echo)# frequency 10

Frequency of the probe in seconds - SLA monitor will probe the IP every 10 seconds

ASA(config)# sla monitor schedule 10 life forever start-time now

Set the ASA to start the SLA monitor now and keep it running for ever

ASA(config)# track 1 rtr 10 reachability

This command will tell the ASA to keep tracking the SLA monitor with the ID:10 and the Default route defined with "Track 1"

if the probe fails to reach the target IP (in this case 8.8.8.8) via the designated interface it will remove the route defined with "Track 1" from the routing table 

The next best possible route in this scenario the backup ISP route with administrative distance of 254 takes its place


Configure dynamic NAT Rules (Important)

nat (inside,<ISP 1(WAN1) Interface Name) source dynamic any interface
nat (inside,<ISP 2(WAN2) Interface Name>) source dynamic any interface

Configure the two NAT statements required so that either interface can provide NATting,

Examples 

nat (inside,outside) source dynamic any interface
nat (inside,Backup_Wan) source dynamic any interface

This method worked well for me personally and keep in mind i'm no Cisco Guru so if i made a mistake or if you feel like there is a better way to do this please leave comment. its all about the community after all

Until next time stay awesome internetz