2017年5月18日星期四

Moving forward (2017)

人生有很多转折点,有些是那么不经意的一步,你的人生却拐了弯。

我不知道我今天这一步是不是人生的转折点,但是有这么多的巧合,足够让人慨叹的了。

在现在的公司,有些束手束脚的感觉,而且公司仿佛一直都没什么大的进步,也没有很大的退步,就是这样原地踏步着。
于是一直都有在找工作,希望找份多点design, 少点operational的工作,on call 实在是太烦人了。

有些机会不错,自己没有把握住;有些不怎样,比较鸡肋,因为各式各样的原因最后没谈成,也不会觉得可惜。

某天,70同学告诉我,recruiter告诉他有份不错的工,一直尝试说服他去试,他放弃了,推荐了我。
Recruiter联系了我,告诉我职位的详情,看着挺合适的,决定试试。
因为这职位很合我的心水,所以花了不少心机去准备,最后都pay off了,职位拿到了。

想想看,和这个职位还是挺有缘的:平日70同学见到陌生的电话都不接的,恰巧那天他用耳机在听音乐,看见有电话就顺便接了,反而促成了我。

拿到job offer,辞职。
这次的辞职容易一些,因为大部分时间都是work from home, 和同事没有太多的interaction, bonding,连道别都是在网上说说就好了。当然close的那些还是会打个电话,或者面对面说的。
躲在网上说再见要容易很多,可以慢慢组织语言,反正没有人看见我的表情。

辞职没多久,忽然接到一个shocking news——现在的公司把Call Center部分卖掉了,网络这部分还不受影响,可是和我们网络同一个boss的voice team, voice development team还有我们的boss在transaction后就会被裁掉,买家只接收agent和相应的business 部分,其他IT staffs全部不要。

我的boss是个非常好的boss,还有其他几个同事都挺不错的,看到他们被这样对待,心里难受极了。
大家都说,我的离开是perfect timing, 我承认,的确挺合时机的。
可是当我知道同事被裁的消息后,又觉得自己仿佛banding the ship一般。可是我们都是小人物,连boss都不能影响丝毫,我又能做些什么呢?
我只能说“天下无不散的筵席”了吧。。。

人生有很多转折,我希望我这一步是好的一步。
回想三年前,我跳到现在这家公司,虽然薪金上没有多大的长进,可是我的的确确学了好多东西,履历上有不少我想要的工作经验。当初之所以选择这个公司,这样的薪水都能接受,不就是要这个踏跳板吗?

Moving forward, 新的挑战在等着我,我会努力的!! (完)

2017年4月10日星期一

活着(2017)

今天看了篇文章《只是活着,就已经很辛苦了》

而石珍珠则是底层游民的另一个画像。

和唐小雁不同,唐小雁为了生存可以挣扎,石珍珠连挣扎的权利都没有。

她一个人占齐了人类可以罹患的所有残疾,盲聋哑跛,智力欠缺,这样的人,也许在出生,就被判了死刑。

但她活了下来,厉百程花了一百多块钱,将她买来做了老婆。





徐童在片子里问厉百程:

“没有乐趣的生活,活着还有意义吗?”

厉百程的回答颇有哲理:

“这话说的,太无情了。”

“这话说的,太无情了。” 看到这句,我眼泪差点掉下来了!

我们觉得我们的生命经历了很多困苦,可是看到这些,忽然觉得自己太矫情了,原来没有最差,只有更差,生命永远可以走下坡路。。。

是太矫情,还是太无情。。。

2017年3月17日星期五

不应该啊!

最近犯了个小尴尬,竟然把TLSv1.2说成TLSv2.0,技术不过硬啊,为嘛我从来都觉得就是TLSv2.0呢?!要好好检讨一下!

既然说到尴尬,就再说一个吧,算是释放一下心里的郁闷:多年以前,我还以为3DES是最secure的,明明是AES啊,真替教我的老师心疼!学生差,真的很给老师丢人啊!

希望我技术上的错误还是少犯一些比较好,太丢人了呀! T_T

2016年12月22日星期四

gym (2016)

70同学subscribe了很多newsletter,知道家附近快要开一家Good Life Fitness,有一天拉着我去看,说要参加gym。
其实这两年,我们一直都有间歇性地跑步、做运动,只是不能坚持下来。
看着70同学劲头十足,我也被感染了,就加入了fitness, 我们还买了personal training,70同学4个sessions, 我7个sessions.
本来给我分配的是位女教练,因为我要回国,担心中间隔了3个礼拜,热情会下降,所以就等回来再训练。没想到回来的时候,那位教练好像因为受伤了而长时间休息,后来又给我分配了个有点瘸腿的教练。

70的教练很不错,和70一样,都是不爱说话的,可是很认真,据说还上过电视教跳舞。70给我看过他脸书的照片,还是很健壮的!

我的教练也很不错,就是话有点多,而且因为脚的缘故,有时候示范会off balance。我心里有点想换个教练,但是觉得他身体现在有缺陷,可是仍然练到今天这个成就,相当了不起!我不给他机会,岂不成了个白眼狼,嘴里说的是人人平等,一视同仁,可是到了自己身上,又希望要perfect的人,太虚伪了!而且他既然是certified的,我就不应该担心他的专业资格。

70同学4个session结束后,竟然sign up了一年的contract,实在令我大跌眼镜。要知道70这么抠门的同学,竟然舍得花大价钱请personal trainer,简直是太阳出西边出来了!
不过我是支持70同学的,只有他练得super健壮,以后backpacking什么,就全部他背好了!(^O^)

我7个sessions也快用完了,最后决定还是签了个短期的contract。

我的教练一直在帮我恢复我的frozen shoulder,效果还是有的。70同学帮我拍了对比的照片,一周前,我的肘离地面还有6~7厘米的距离,一周后就只有5厘米的样子。

昨晚在完成了一个小时的session后,我觉得还不够,于是又去练了差不多一个小时,其中最有成就感的是终于第一次轻松完成stair master 20分钟的workout:


我的教练说:PT (personal trainer) 是personal torturer的简写!
就是嘛,PT虐我千百遍,我待PT如教练!! yeah!!
看来被虐还是有点效果的,继续加油!!

2016年9月24日星期六

自制Espresso/Latte (2016)

一直以来,我都是咖啡爱好者,70同学就对咖啡没啥兴趣。
自从我们去了德国和捷克,喝过欧洲没有下糖的咖啡,70同学就觉得欧洲咖啡真好喝啊!
后来我们去Kitchen Stuff Plus逛,看见咖啡机打折,70同学心里就长草啊,非要给我买一台,让我弄咖啡给他喝!lol
可是我们家东西不少,再买咖啡机都没地方放了。我就对70同学说:如果你找到地方放咖啡机,我就让你买~~~

本以为这样就把70同学打败了,没想到70同学回家后,咚咚咚三两下就把厨房一个位置清理出来,刚好可以放咖啡机。

好吧,既然你如此有诚意,那就买吧!

接下来,70同学就不停地看review,找deal。在看过无数review和YouTube后,70同学又觉得低档的咖啡机都不好,有这样那样的毛病,于是非要买个手动的stove top的Espresso咖啡壶,还说既然手动我不会弄,就他弄给我喝吧。
看他如此坚决,我就同意了。
于是70同学又一番倒腾,终于在Kitchen Stuff Plus买了壶,在Amazon 买了打泡的壶和压咖啡的小桩子,还跑到Nofrills买了咖啡粉。
万事俱备,只欠东风了。

终于等到周末,70同学一大早爬起来,不顾1小时后还有牙医appointment,就开始捣鼓计划已久的咖啡工程。

ss-20160924_081506
-.放水不能超过那个小孔.-

ss-20160924_081519
-.各式工具.-
ss-20160924_081740
-.把咖啡压实.-

ss-20160924_081813_
-.压实后应该是平的.-

ss-20160924_081907
-.stove top的咖啡壶.-


-.制作咖啡.-

别看这一小壶的咖啡,至少煮了20分钟才把咖啡煮好,打泡倒是非常容易,两三下就打出好多泡。
不过由于是第一次,我根本不知道白色的奶几时才浮出,忽然看见白色的奶,都根本来不及拉花了,第一次拉花就这样失败了。

ss-20160924_084453-coffee
-.做好的咖啡.-

拉花算是失败了,不过弄出来的咖啡还是非常有欧洲风味的。我的那份咖啡少了一些,70那份咖啡多了一些,不过总体还是十分让人满意的。

把这次DIY放到朋友圈,反响热烈,大家都纷纷表示要来喝咖啡。
最搞笑的是Maggie同学,我说等我练习好咖啡牛奶的比例以及打花后,再邀请她来。
她却说:朋友就是陪你一同成长的人
呵呵,我都不知道是感动呢,还是想翻白眼,干脆就感动地翻白眼吧!! O_O

Team Chinada的小伙伴也很踊跃,真的把我们当长工了,LOL (完)

2016年8月28日星期日

杀人游戏 (2016)

天啊,原来杀人游戏有这么多版本?!!!

以前在中国的时候,和同事一起玩过几次杀人游戏。看过帖子才发现,那是1.0版本,只有法官,杀手和平民。
v2.0: 法官,杀手,警察,平民
v3.0: 法官,杀手,警察,平民 + 医生,秘密警察,
v4.0: 法官,杀手,警察,平民 + 医生,秘密警察 + 狙击手,森林老人,花蝴蝶 (这都是些什么鬼)
V5.0: 法官,杀手,警察,平民,医生,秘密警察 + 暗警 + 暗杀
v6.0: 法官,杀手,警察,平民 + 医生,狙击手
v7.0: 法官,杀手,警察,平民 + 天使,魔鬼
台湾版: 法官,杀手,平民

感觉第一、二、三版都不错,其他都太过复杂,分分钟规则都没搞懂!

2016年8月25日星期四

情书

听说《情书》这部电影已经很久很久了,一直都没有很大的兴趣要找来看。后来看了一个微信公众号的介绍,觉得还不错,于是去B站找来看。

没想到被这部片子一下子砸中了,眼泪吧嗒吧嗒的,70同学看了很不解:我不觉得这片子很感人啊。。。
我真的不知道如何向他解释,我流眼泪也并不是因为我觉得很感动,而是觉得片子里,所要表达的情绪和感觉我都了解。。。静静地怀念着,轻轻地说我挺好的。。。不是就很足够了吗?

看着男树和女树纯纯而朦胧的puppy love,会忍不住偷笑着,那种朦胧,淡淡的甜蜜和忧伤,都是青葱岁月的划痕,轻轻荡漾过去。。。

有几个剧照超喜欢:








豆瓣里有几个关于《情书》的问题很好,其中最有意思的是:

电影里女藤井树发高烧的情节有什么用意吗?
挑几个我比较喜欢的答案:
* 。。。 博子和女藤井树几乎在同一时刻经受人生的考验,也几乎同时在第二天的清晨获得了救赎。。。当天下午从老师那里得知了男藤井树的死讯,女藤井树在潜意识中马上联想到父亲当年的去世(雪地里滑行的那一段即是证明);二,寓意悲剧的轮回是有可能打破的。爱人去世,还有关心自己的朋友;父亲这棵大树倒塌,祖父这棵老树却依然挺立——生活无论如何窘迫,仍存在向上的可能。 本片的第一主题是关于生和死,第二主题才是美好的青春暗恋,尽管电影的名字叫做《情书》。
* 。。。 之前女藤井树对男藤井树只是停留在一个青春往事回忆的基础上,一个过去的同学。她并不知道男藤井树在两年前死去,但返校那次从老师这里得知了他逝世的消息,因此也带出了女藤井树父亲死亡的记忆,一下把女藤井树的情感提升到了生死的主题,之后她便亲自经历了和父亲相同的高烧肺炎,经历了一次重生,让她和男藤井树的情感命运有了更多的羁绊。如若不是这样,片尾她看到借书卡上的肖像便不会哭泣,观众也不会如此动容。女藤井树高烧,而渡边博子却去爬男藤井树的山,这段经典的平行蒙太奇两个女人都对着亡故的男藤井树喊着:”藤井树,你好吗,我很好。“ 对于渡边博子而言这是一次告别,一次全新的开始,而对于女藤井树而言,这是一次重新与男藤井树建立重要的联系。

女树为什么要摔花瓶?
* 那是个恶作剧,花应该是给死人用的花,。。。
* 其实女树的潜意识里是很喜欢藤井树的,只是可能自己都没有意识到,要不然就不会有对窗帘前少年的久久凝望,在知道真相后心中的喜悦。摔花瓶绝对是感性的表现,这正是表明了女树对男树的爱恋,对他不告而别的不满,毕竟若是一个无关紧要的人又怎会有这样的反应?
* 我觉得吧,除了楼上说过的愤怒伤心等等原因,这也是女树成长的一次示威:之前是一个十足的软妹子,也不善于表达自己的情感,对同学的玩笑也是能忍则忍,而当男树转学之后,她也没有忍的必要了。。。。
* 既生气又失望,曾以为我们之间很熟识,你的离开至少要让我知道,结果却没有。你走后,不会再有人和我同名作伴,阳光依旧透过图书馆的窗户,可旁边的少年却不知踪影。

还有问题问男树到底有没有喜欢过博子?
我觉得当然有啊,结婚戒指就是。男树是暗恋过女树没错,也许一开始喜欢博子也是因为和女树很像,可是这并不代表他没爱过博子啊,像博子说的:他们有过很多美好的时光。。。

真的很喜欢《情书》这部电影呢。

2016年5月7日星期六

不务正业 之 填色 (2016)

魔方后,我的另外一项不务正业就是填色了。

小时候就喜欢填色,之后就没再玩了。

据说现在大人也流行填色了,心里不时长根小草,想填一下色。可是要知道我是个抠门啊,心里小算盘一算,买本书啊,还要买好多好多颜色笔,多贵啊!

某次和70同学逛Costco,偶尔透露了一下有兴趣填色,70同学这个购物狂就开始帮我找deal了。

某天,70在Armazon找到了填色书和颜色笔的deal,发email给我看。我一看,还是不舍得!
晚上70同学回家,问我为啥不买啊,我说舍不得啊!
他又问,多少钱啊?
我说不超过10块吧!
70立马说我:怎么现在比我还抠门了,10块都不舍得了,不会吧!!

于是二话不说,就用他的账号给我买了书和颜料,加起来20刀不到的样子。

ss-IMG_1624
-.喜欢日系画风.-

ss-IMG_1621

其实我不买,是怕自己没有啥艺术感,填不出啥好效果。加上我这么善变的人,说不定填一两张就没兴趣了,浪费了白花花的银两!

我们买的是water color pencil,不过因为我怕我没啥艺术感,于是用日常的A4纸复印一下试填。这A4纸不适合water color,一碰水就掉毛。
最后被我当成普通彩色铅笔来用. ^_^

我自己是很喜欢细细的笔的,于是在Dollar Rama买了盒彩色细签字笔,喜欢!

ss-IMG_1620

后来证实,这填色真的不是好东东啊,我就填了一张图,颈椎就难受,平日干活脊椎颈椎就不好使,这下子就更难受了。

不过我还是蛮享受填色的乐趣的!

ss-IMG_1623
-.找张简单的练手.-

ss-IMG_1622
-.半成品.-

让我先休息一下,然后继续不务正业!(完)

不务正业 之 魔方 (2016)

一直都觉得魔方是很神奇的东西,扭啊扭,扭啊扭,好不容易扭好了2~3面,却不能再前进一步了,好难啊!
也许自己一直觉得玩魔方是小孩子的玩意,所以放弃后,就再也没有想过要继续尝试了。

最近和70同学很迷《最强大脑》,看着里面的魔方高手咻~咻~咻~就拧成功了,好神奇。

后来仔细一琢磨,我就觉得这魔方根本不可能一面接一面地扭,必须是按照一定步骤来扭的。我小时不能成功,一定是没找对方法!

于是某个下午下班后,我就自己跑到Dollar店、还有Walmart去买魔方,没想到居然没得卖。Walmart倒是有得卖,只是只有两阶的。
不行,要玩就玩三阶的!后来才知道,这两阶的魔方并不是看起来那么简单的!

没买到魔方,心里很不服气。想起之前去Cisco Connect之类的show时,拿回过一个魔方,是个图型魔方,颜色很浅,不过改造一下,应该可以先凑合着用。
于是自己动手,丰衣足食!

ss-IMG_1618

改造好后,就开始上网找解答。找到一个非常好的网站——魔方小站

我自问空间感很差,平日最怕别人用东南西北来告诉我方向。看着魔方小站里为初学者做的每一步的flash,越到后面,我就要反复看很多遍,还有不断记忆,才勉强知道原理是什么。
魔方小站的flash对我的帮助最大,反复看,一步一步往前,一步一步后退,看看最后方块是怎么移动的。没有它,我是不可能学得会的了。

最痛苦的是记第五步的小鱼,不单止要记移动到步骤(这不论第几步都要记步骤的),要根据黄色方块的位置来转。位置本身没有什么规律,死记就是了,玩多了,就记住了。
来感受一下恶意:
fish

记过犯错无数,用了三天的时间,我终于能够自己把魔方完整弄好了,偶尔还是要偷看一下cheatsheet的。

好开心,儿时的梦想终于实现了!!



后来不断重温,纠正一下以前的一些没记住的细节,玩得越来越顺畅了!

再后来,又开始不满足了,觉得继续学习把图案的方向也弄正确。

方向就更变态了,特别是什么上面顺时针转90度+前面逆时针转90度不同的手法。根本搞不懂是上面逆时针还是顺时针,前面是顺时针还是逆时针。
幸运的是,只要前面把LRFB的方向调整正确了,最后就只需要调整UB的方向,手法也不太复杂,错几次就好了 (说得倒轻巧,眼睁睁看着弄好的魔方被错误的步骤弄得碎成渣,心理就极其沮丧,幸亏重新扭一次也不过十来分钟的事情,呵呵)。

最后连方向都搞定了。

描了一眼高级玩法CFOP 步骤太多了,我就不去尝试了。

唯一还有兴趣去进阶一下的就是学个手法,但是我现在的魔方太难拧动了,十个指头抓得紧紧地,有时候还拧不动,看来要学手法还得再等等。

速拧没有高级玩法的基础,估计是拧不快了,那还是看我什么时候闷S了,再去学吧。

单手拧、盲拧是完全没兴趣了,虽然看起来很酷!

我还是很满意的,毕竟是圆梦成功哦!!(完)

2015年11月22日星期日

Dual ISP and VPN as MPLS back

Working on a task:

1. Use 2 ISPs as Internet connections, one as active and the other as backup.
2. Use VPN using backup ISP as the alternative way when MPLS circuit down.

Did some research and found useful articles:

ASA/PIX 7.x: Redundant or Backup ISP Links Configuration Example
Configuring LAN-to-LAN VPNs
Ken Felix Security Blog -- Cisco ASA ikev2 setup

Setup a lab to simulate these 2 scenarios:

-.logical connection.-


-.physical connection.-

1. Dual ISP portion
The challenge I faced is not when the primary Internet circuit down, default route using backup ISP router SW2. Track object work perfectly.
The real challenge is when the primary circuit restored, because the default route is still pointing to backup ISP router SW2, the tracking object will not be reachable via the ASA interface (in this example is the outside1 interface). This is the way how ASA works.

The trick is to configure a host route of ping target via the primary interface. No matter whether the primary circuit is down, the ASA1 will always use the host route to ping the ping target.

Here are the configuration:

1.1 ASA1
In this example, I actually use 12.12.12.22 as my ping target (that is because I use 12.12.12.4 in the next scenario)
sla monitor 100
type echo protocol ipIcmpEcho 12.12.12.22 interface outside1
num-packets 3
frequency 10
sla monitor schedule 100 life forever start-time now
!
track 100 rtr 100 reachability
This the default route using primary ISP router SW1
route outside1 0.0.0.0 0.0.0.0 1.1.1.11 1 track 100
!This the 2nd default route using secondary ISP router SW2
route outside2 0.0.0.0 0.0.0.0 2.2.2.22 50
In this example, I actually use 12.12.12.22 as my ping target, so configure the following host route to force ASA1 use outside1 to reach the ping target 12.12.12.22
route outside1 12.12.12.22 255.255.255.255 1.1.1.11 1
NAT configuration:
object network office_subnets1
nat (inside,outside1) dynamic interface
object network office_subnets2
nat (inside,outside2) dynamic interface
1.2 SW1
ip route 0.0.0.0 0.0.0.0 12.12.12.4
1.3 SW2
In this lab environment, I have to also force secondary ISP router SW2 to use SW1 to reach 1.1.1.0/24 network.
ip route 0.0.0.0 0.0.0.0 12.12.12.4
ip route 1.1.1.0 255.255.255.0 12.12.12.11
1.4 Validation

1.4.1 Both primary and secondary Internet circuit are UP:
ASA1's partial routing table:
lab-ASA1/pri/act# sh route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 1.1.1.11 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 1.1.1.11, outside1
C 1.1.1.0 255.255.255.0 is directly connected, outside1
L 1.1.1.1 255.255.255.255 is directly connected, outside1
C 2.2.2.0 255.255.255.0 is directly connected, outside2
L 2.2.2.1 255.255.255.255 is directly connected, outside2
S 12.12.12.4 255.255.255.255 [1/0] via 2.2.2.22, outside2
S 12.12.12.22 255.255.255.255 [1/0] via 1.1.1.11, outside1
ASA1 tracking object 12.12.12.22 status:

lab-ASA1/pri/act# sh track 100
Track 100
Response Time Reporter 100 reachability
Reachability is Up
22 changes, last change 00:00:03
Latest operation return code: OK
Latest RTT (millisecs) 4
Tracked by:
STATIC-IP-ROUTING 0
ASA3 can ping 12.12.12.4:
lab-ASA3# PING 12.12.12.4 rep 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 12.12.12.4, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
1.4.2 When primary Internet circuit is down:
lab-sw(config)#int f1/0/33
lab-sw(config-if)#shut
ASA1 partial routing table:
lab-ASA1/pri/act# sh route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 2.2.2.22 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [50/0] via 2.2.2.22, outside2
C 1.1.1.0 255.255.255.0 is directly connected, outside1
L 1.1.1.1 255.255.255.255 is directly connected, outside1
C 2.2.2.0 255.255.255.0 is directly connected, outside2
L 2.2.2.1 255.255.255.255 is directly connected, outside2
S 12.12.12.4 255.255.255.255 [1/0] via 2.2.2.22, outside2
S 12.12.12.22 255.255.255.255 [1/0] via 1.1.1.11, outside1
ASA1 tracking object 12.12.12.22 status:
lab-ASA1/pri/act# sh track 100
Track 100
Response Time Reporter 100 reachability
Reachability is Down
21 changes, last change 00:00:27
Latest operation return code: Timeout
Tracked by:
STATIC-IP-ROUTING 0
ASA3 can ping 12.12.12.4:
lab-ASA3# PING 12.12.12.4 rep 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 12.12.12.4, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

1.4.3 When primary Internet circuit restore:
lab-sw(config)#int f1/0/33
lab-sw(config-if)#no shut
ASA1 tracking object 12.12.12.22 status:
lab-ASA1/pri/act# sh track 100
Track 100
Response Time Reporter 100 reachability
Reachability is Up
22 changes, last change 00:00:03
Latest operation return code: OK
Latest RTT (millisecs) 4
Tracked by:
STATIC-IP-ROUTING 0
ASA1's partial routing table:
lab-ASA1/pri/act# sh route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 1.1.1.11 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 1.1.1.11, outside1
C 1.1.1.0 255.255.255.0 is directly connected, outside1
L 1.1.1.1 255.255.255.255 is directly connected, outside1
C 2.2.2.0 255.255.255.0 is directly connected, outside2
L 2.2.2.1 255.255.255.255 is directly connected, outside2
S 12.12.12.4 255.255.255.255 [1/0] via 2.2.2.22, outside2
S 12.12.12.22 255.255.255.255 [1/0] via 1.1.1.11, outside1
ASA3 can ping 12.12.12.4:
lab-ASA3# PING 12.12.12.4 rep 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 12.12.12.4, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Side note #1:
All the ASA in this lab are running version 9.2(2)4.
The tracking object feature is very limited.
Each track can only include one sla.
It will be ideal if each track can include multiple sla. I will like to have multiple ping targets for my Internet circuit. Rely on one ping target can be very risky.

Side note #2:
If configure:
route outside1 0.0.0.0 0.0.0.0 1.1.1.1 1 track 1
route outside1 0.0.0.0 0.0.0.0 1.1.1.1 2 track 2
This is a "OR" operation.
When track 1 is down, the 2nd route will be installed;
When track 2 is down, the 1st route will be installed;
When both track 1 and 2 are down, the default route will be withdrew.

2. VPN as MPLS backup portion

2.1 ASA1
ASA1 tracking object 210:
sla monitor 210
type echo protocol ipIcmpEcho 192.168.44.44 interface inside
num-packets 3
frequency 10
sla monitor schedule 210 life forever start-time now
!
track 210 rtr 210 reachability
Static routes:
route inside 192.168.44.0 255.255.255.0 192.168.123.3 1 track 210
! host route for ping target
route inside 192.168.34.4 255.255.255.255 192.168.123.3 1
VPN configuration:
crypto ipsec ikev2 ipsec-proposal ESP-AES-SHA512
protocol esp encryption aes
protocol esp integrity sha-512
!
crypto map L2LVPN 10 match address acl_office_to_prod_vpn
crypto map L2LVPN 10 set peer 12.12.12.4
crypto map L2LVPN 10 set ikev2 ipsec-proposal ESP-AES-SHA512
crypto map L2LVPN interface outside2
!
crypto isakmp identity address
!
crypto ikev2 policy 10
encryption aes
integrity sha512
group 2
prf sha
lifetime seconds 28800
crypto ikev2 enable outside2
!
tunnel-group 12.12.12.4 type ipsec-l2l
tunnel-group 12.12.12.4 ipsec-attributes
ikev2 remote-authentication pre-shared-key password
ikev2 local-authentication pre-shared-key password
!
object-group network Office
network-object 192.168.123.0 255.255.255.0
!
object-group network production_subnts
network-object 192.168.44.0 255.255.255.0
!
access-list acl_office_to_prod_vpn extended permit ip object-group Office object-group production_subnts
!
nat (inside,outside2) source static Office Office destination static production_subnts production_subnts
2.2 ASA4
ASA4 tracking object 210:
sla monitor 210
type echo protocol ipIcmpEcho 192.168.123.1 interface c3
num-packets 3
frequency 10
sla monitor schedule 210 life forever start-time now
!
track 210 rtr 210 reachability
Static routes:
route c3 192.168.0.0 255.255.0.0 192.168.34.3 1 track 210
route c3 192.168.0.0 255.255.0.0 12.12.12.22 50

route internet 0.0.0.0 0.0.0.0 12.12.12.11 1
! host route for the VPN end system, make it use ASA1's outside2 interface, not ASA1's outside1
route internet 2.2.2.1 255.255.255.255 12.12.12.22 1
! host route for ping target
route c3 192.168.123.1 255.255.255.255 192.168.34.3 1
VPN configuration:
crypto ipsec ikev2 ipsec-proposal ESP-AES-SHA512
protocol esp encryption aes
protocol esp integrity sha-512
!
crypto map L2LVPN 10 match address acl_prod_to_office_vpn
crypto map L2LVPN 10 set peer 2.2.2.1
crypto map L2LVPN 10 set ikev2 ipsec-proposal ESP-AES-SHA512
crypto map L2LVPN interface internet
!
crypto isakmp identity address
!
crypto ikev2 policy 10
encryption aes
integrity sha512
group 2
prf sha
lifetime seconds 28800
crypto ikev2 enable internet
!
tunnel-group 2.2.2.1 type ipsec-l2l
tunnel-group 2.2.2.1 ipsec-attributes

ikev2 remote-authentication pre-shared-key password
ikev2 local-authentication pre-shared-key password
!
object-group network Office
network-object 192.168.123.0 255.255.255.0
!
object-group network production_subnts
network-object 192.168.44.0 255.255.255.0
!
access-list acl_prod_to_office_vpn extended permit ip object-group Office object-group production_subnts
!

2.3 Validation

2.3.1 When MPLS is UP:
ASA1 partial routing table:

lab-ASA1/pri/act# sh route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 1.1.1.11 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 1.1.1.11, outside1
S 192.168.34.4 255.255.255.255 [1/0] via 192.168.123.3, inside
S 192.168.44.0 255.255.255.0 [1/0] via 192.168.123.3, inside
S 192.168.44.44 255.255.255.255 [1/0] via 192.168.123.3, inside
C 192.168.123.0 255.255.255.0 is directly connected, inside
L 192.168.123.1 255.255.255.255 is directly connected, inside
ASA1 tracking object 210 status:

lab-ASA1/pri/act# sh track 210
Track 210
Response Time Reporter 210 reachability
Reachability is Up
16 changes, last change 00:02:42
Latest operation return code: OK
Latest RTT (millisecs) 1
Tracked by:
STATIC-IP-ROUTING 0
ASA1 IPSec ISAKMP status:
lab-ASA1/pri/act# sh crypto isakmp sa
There are no IKEv1 SAs
There are no IKEv2 SAs

ASA1 IPSec IKEV2 status:
lab-ASA1/pri/act# sh crypto ikev2 sa
There are no IKEv2 SAs
ASA4 routing table
lab-ASA4# sh route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 12.12.12.11 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 12.12.12.11, internet
S 2.2.2.1 255.255.255.255 [1/0] via 12.12.12.22, internet
C 12.12.12.0 255.255.255.0 is directly connected, internet
L 12.12.12.4 255.255.255.255 is directly connected, internet
S 192.168.0.0 255.255.0.0 [1/0] via 192.168.34.3, c3
C 192.168.34.0 255.255.255.0 is directly connected, c3
L 192.168.34.4 255.255.255.255 is directly connected, c3
C 192.168.44.0 255.255.255.0 is directly connected, production
L 192.168.44.4 255.255.255.255 is directly connected, production
S 192.168.123.1 255.255.255.255 [1/0] via 192.168.34.3, c3
ASA4 tracking object 210 status:

lab-ASA4# sh track 210
Track 210
Response Time Reporter 210 reachability
Reachability is Up
14 changes, last change 00:03:42
Latest operation return code: OK
Latest RTT (millisecs) 1
Tracked by:
STATIC-IP-ROUTING 0
ASA4 IPSec ISAKMP status:
lab-ASA4# sh crypto isakmp sa
There are no IKEv1 SAs
There are no IKEv2 SAs
ASA4 IPSec IKEV2 status:
lab-ASA4# sh crypto ikev2 sa
There are no IKEv2 SAs
ASA3 can ping 192.168.44.44
lab-ASA3# ping 192.168.44.44
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.44.44, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

2.3.2 When MPLS is DOWN:
lab-sw(config)#INT F1/0/44
lab-sw(config-if)#SHUT
ASA1 partial routing table:
lab-ASA1/pri/act# sh route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 1.1.1.11 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 1.1.1.11, outside1
C 1.1.1.0 255.255.255.0 is directly connected, outside1
L 1.1.1.1 255.255.255.255 is directly connected, outside1
C 2.2.2.0 255.255.255.0 is directly connected, outside2
L 2.2.2.1 255.255.255.255 is directly connected, outside2
S 12.12.12.4 255.255.255.255 [1/0] via 2.2.2.22, outside2
S 12.12.12.22 255.255.255.255 [1/0] via 1.1.1.11, outside1
C 172.16.0.0 255.255.255.252 is directly connected, failover
L 172.16.0.1 255.255.255.255 is directly connected, failover
S 192.168.34.4 255.255.255.255 [1/0] via 192.168.123.3, inside
S 192.168.44.0 255.255.255.0 [50/0] via 2.2.2.22, outside2
S 192.168.44.44 255.255.255.255 [1/0] via 192.168.123.3, inside
C 192.168.123.0 255.255.255.0 is directly connected, inside
L 192.168.123.1 255.255.255.255 is directly connected, inside
ASA1 tracking object 210
lab-ASA1/pri/act# sh track 210
Track 210
Response Time Reporter 210 reachability
Reachability is Down
17 changes, last change 00:00:00
Latest operation return code: Timeout
Tracked by:
STATIC-IP-ROUTING 0
ASA4 routing table:
lab-ASA4# sh route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 12.12.12.11 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 12.12.12.11, internet
S 2.2.2.1 255.255.255.255 [1/0] via 12.12.12.22, internet
C 12.12.12.0 255.255.255.0 is directly connected, internet
L 12.12.12.4 255.255.255.255 is directly connected, internet
S 192.168.0.0 255.255.0.0 [50/0] via 12.12.12.22, c3
C 192.168.34.0 255.255.255.0 is directly connected, c3
L 192.168.34.4 255.255.255.255 is directly connected, c3
C 192.168.44.0 255.255.255.0 is directly connected, production
L 192.168.44.4 255.255.255.255 is directly connected, production
S 192.168.123.1 255.255.255.255 [1/0] via 192.168.34.3, c3
ASA3 tracking object 210
lab-ASA4# sh track 210
Track 210
Response Time Reporter 210 reachability
Reachability is Down
15 changes, last change 00:00:38
Latest operation return code: Timeout
Tracked by:
STATIC-IP-ROUTING 0
ASA3 can ping 192.168.44.44:
lab-ASA3# ping 192.168.44.44
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.44.44, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1 IPsec ISAKMP status:
lab-ASA1/pri/act# sh crypto isakmp sa
There are no IKEv1 SAs
IKEv2 SAs:
Session-id:6, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
219900601 2.2.2.1/500 12.12.12.4/500 READY INITIATOR
Encr: AES-CBC, keysize: 128, Hash: SHA512, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 28800/147 sec
Child sa: local selector 192.168.123.0/0 - 192.168.123.255/65535
remote selector 192.168.44.0/0 - 192.168.44.255/65535
ESP spi in/out: 0x656293c/0x2a61c4bb 
ASA1 IPsec IKEV2 status:
lab-ASA1/pri/act# sh crypto ikev2 sa
IKEv2 SAs:
Session-id:6, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
219900601 2.2.2.1/500 12.12.12.4/500 READY INITIATOR
Encr: AES-CBC, keysize: 128, Hash: SHA512, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 28800/140 sec
Child sa: local selector 192.168.123.0/0 - 192.168.123.255/65535
remote selector 192.168.44.0/0 - 192.168.44.255/65535
ESP spi in/out: 0x656293c/0x2a61c4bb 
2.3.3 When MPLS is restored:
lab-sw(config)#INT F1/0/44
lab-sw(config-if)#no SHUT
ASA1 partial routing table:
lab-ASA1/pri/act# sh route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 1.1.1.11 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 1.1.1.11, outside1
S 192.168.34.4 255.255.255.255 [1/0] via 192.168.123.3, inside
S 192.168.44.0 255.255.255.0 [1/0] via 192.168.123.3, inside
S 192.168.44.44 255.255.255.255 [1/0] via 192.168.123.3, inside
C 192.168.123.0 255.255.255.0 is directly connected, inside
L 192.168.123.1 255.255.255.255 is directly connected, inside
ASA1 tracking object 210 status:
lab-ASA1/pri/act# sh track 210
Track 210
Response Time Reporter 210 reachability
Reachability is Up
16 changes, last change 00:02:42
Latest operation return code: OK
Latest RTT (millisecs) 1
Tracked by:
STATIC-IP-ROUTING 0
ASA4 routing table
lab-ASA4# sh route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 12.12.12.11 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 12.12.12.11, internet
S 2.2.2.1 255.255.255.255 [1/0] via 12.12.12.22, internet
C 12.12.12.0 255.255.255.0 is directly connected, internet
L 12.12.12.4 255.255.255.255 is directly connected, internet
S 192.168.0.0 255.255.0.0 [1/0] via 192.168.34.3, c3
C 192.168.34.0 255.255.255.0 is directly connected, c3
L 192.168.34.4 255.255.255.255 is directly connected, c3
C 192.168.44.0 255.255.255.0 is directly connected, production
L 192.168.44.4 255.255.255.255 is directly connected, production
S 192.168.123.1 255.255.255.255 [1/0] via 192.168.34.3, c3
ASA4 tracking object 210 status:
lab-ASA4# sh track 210
Track 210
Response Time Reporter 210 reachability
Reachability is Up
14 changes, last change 00:03:42
Latest operation return code: OK
Latest RTT (millisecs) 1
Tracked by:
STATIC-IP-ROUTING 0
ASA1 clear IPsec:
lab-ASA1/pri/act# clear crypto ipsec sa peer 12.12.12.4
ASA4 clear IPsec:
lab-ASA4# clear crypto ipsec sa peer 2.2.2.1
ASA3 can ping 192.168.44.44
lab-ASA3# ping 192.168.44.44
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.44.44, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

ASA1 IPSec ISAKMP status:
lab-ASA1/pri/act# sh crypto isakmp sa
There are no IKEv1 SAs
There are no IKEv2 SAs
ASA1 IPSec IKEV2 status:
lab-ASA1/pri/act# sh crypto ikev2 sa
There are no IKEv2 SAs
ASA4 IPSec ISAKMP status:
lab-ASA4# sh crypto isakmp sa
There are no IKEv1 SAs
There are no IKEv2 SAs
ASA4 IPSec IKEV2 status:
lab-ASA4# sh crypto ikev2 sa
There are no IKEv2 SAs
Side note #1:
During troubleshooting, I found when ASA3's c3 interface went down, the VPN tunnel was not triggered. And the interesting traffic ACL matched interesting traffic.
All the VPN configurations are correct.
Why the VPN tunnel was not triggered?

I turned on all IPSec debug, but since the VPN is not triggered, no debugging info was shown.

After doing more research, it turns out it's because ASA1 end system is behind NAT. I have use NAT exemption for the VPN traffic.
Once I configured
nat (inside,outside2) source static Office Office destination static production_subnts production_subnts
on ASA1, the VPN went UP immediately.

In the very beginning, I thought NAT-Traversal is the default for IKEV2, so I don't need to use NAT exemption for VPN traffic. But the fact is the NAT-Traversal is within the VPN, VPN cannot be triggered on ASA without NAT exemption. I learned my lesson!!

Now everything works as it should be. ^_^

Last note: I hate static routing!!