https://community.cisco.com/t5/network-security/asa-sla-monitor/m-p/2370401#M308212 <HTML><HEAD></HEAD><BODY><P>First off, you are missing a line of configuration in your SLA config:</P><P></P><P><STRONG>track 1 rtr 1 reachability</STRONG></P><P></P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote">how come that you need to configure default route for sla monitor 1 to work?</PRE><P>You do not need a default route for sla monitor to work.&nbsp; You need a route to the destination you are trying to ping.&nbsp; The track will install a route in the routing table when the condition is met.&nbsp; this condition could be that as long as a host on your inside network is reachable keep this default route in the routing table (though this would not make sense of course, just an example).</P><P></P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote">if you issue ping x.x.x.x command on ASA and you don't have route to&nbsp; x.x.x.x you will get "No route to host x.x.x.x", but if you issue ping&nbsp; outside1 x.x.x.x you will get "?????". Does that mean that in second&nbsp; command ASA doesn't consult routing table?</PRE><P>When you get ????? this means that you have a route in the routing table to the destination, but the destination is not reachable...for whatever reason.</P><P></P><P>--</P><P>Please rate all helpful posts</P></BODY></HTML> Wed, 27 Nov 2013 09:09:57 GMT Marius Gunnerud 2013-11-27T09:09:57Z https://community.cisco.com/t5/network-security/asa-sla-monitor/m-p/2370400#M308211 <P>Hi,</P><P>I am just curious how does SLA monitor on ASA work. As I understood and tested on GNS3, when configure SLA Monitor you have to specify outgoing interface and by that you are forcing packets (e.g. ICMP) out through specified interface (something that you have to do using local policy on routers).</P><P>Lets say we have configuration like this in scenario where we have two ISPs connected directly to ASA:</P><P></P><P>ASA:</P><P></P><P>sla monitor 1</P><P> type echo protocol ipIcmpEcho 8.8.8.8 interface outside1</P><P> frequency 5</P><P>sla monitor schedule 1 life forever start-time now</P><P></P><P>Now you need to track default route and you configure default route which is installed in routing table if sla monitor is UP:</P><P></P><P>route outside1 0.0.0.0 0.0.0.0 10.10.10.10 track 1</P><P>route outside2 0.0.0.0 0.0.0.0 20.20.20.20 254</P><P></P><P>My question is: how come that you need to configure default route for sla monitor 1 to work? You need the route which is tracked by SLA probe which requires that route to function? Isn't that chicken-egg thing? After putting default route on outside1 sla probe starts working, but the route is NOT installed for 60 sec (because it is default frequency) and all behavior after that is fine. Could be the case that SLA monitor process uses that route for itself in background even it is not still installed in routing table?</P><P>Analog example: if you issue ping x.x.x.x command on ASA and you don't have route to x.x.x.x you will get "No route to host x.x.x.x", but if you issue ping outside1 x.x.x.x you will get "?????". Does that mean that in second command ASA doesn't consult routing table?</P><P></P><P>On a router same scenario works using local policy which forces packets to go out on desired interface without default route. Default route is installed if SLA probe goes well.</P><P></P><P>I hope you'll understand my question(s) <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>Thanks.</P> Tue, 12 Mar 2019 03:10:04 GMT https://community.cisco.com/t5/network-security/asa-sla-monitor/m-p/2370400#M308211 ivanbarkic 2019-03-12T03:10:04Z https://community.cisco.com/t5/network-security/asa-sla-monitor/m-p/2370401#M308212 <HTML><HEAD></HEAD><BODY><P>First off, you are missing a line of configuration in your SLA config:</P><P></P><P><STRONG>track 1 rtr 1 reachability</STRONG></P><P></P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote">how come that you need to configure default route for sla monitor 1 to work?</PRE><P>You do not need a default route for sla monitor to work.&nbsp; You need a route to the destination you are trying to ping.&nbsp; The track will install a route in the routing table when the condition is met.&nbsp; this condition could be that as long as a host on your inside network is reachable keep this default route in the routing table (though this would not make sense of course, just an example).</P><P></P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote">if you issue ping x.x.x.x command on ASA and you don't have route to&nbsp; x.x.x.x you will get "No route to host x.x.x.x", but if you issue ping&nbsp; outside1 x.x.x.x you will get "?????". Does that mean that in second&nbsp; command ASA doesn't consult routing table?</PRE><P>When you get ????? this means that you have a route in the routing table to the destination, but the destination is not reachable...for whatever reason.</P><P></P><P>--</P><P>Please rate all helpful posts</P></BODY></HTML> Wed, 27 Nov 2013 09:09:57 GMT https://community.cisco.com/t5/network-security/asa-sla-monitor/m-p/2370401#M308212 Marius Gunnerud 2013-11-27T09:09:57Z https://community.cisco.com/t5/network-security/asa-sla-monitor/m-p/2370402#M308214 <HTML><HEAD></HEAD><BODY><P>If i have specific route to some public IP then after switching to second ISP traffic towards that IP will still go on broken internet link, right?</P><P>Regarding ping outside1 x.x.x.x I do not have a route in the routing table.</P></BODY></HTML> Wed, 27 Nov 2013 10:11:07 GMT https://community.cisco.com/t5/network-security/asa-sla-monitor/m-p/2370402#M308214 ivanbarkic 2013-11-27T10:11:07Z https://community.cisco.com/t5/network-security/asa-sla-monitor/m-p/2370403#M308216 <HTML><HEAD></HEAD><BODY><P>Yes,&nbsp; which is why it is best to use a default route.&nbsp; Because then that route will be completely removed from the routing table and not interfere with routing of normal traffic.&nbsp; But having said that, it is not a requirement, but a recommendation to get SLA working in a predictable manner.</P><P></P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote">Regarding ping outside1 x.x.x.x I do not have a route in the routing table.</PRE><P>In that case you have told the ASA through which interface it can reach the x.x.x.x IP, which is why you are receiving the ????? response. </P><P></P><P>--</P><P>Please rate all helpful posts.</P></BODY></HTML> Wed, 27 Nov 2013 10:16:23 GMT https://community.cisco.com/t5/network-security/asa-sla-monitor/m-p/2370403#M308216 Marius Gunnerud 2013-11-27T10:16:23Z https://community.cisco.com/t5/network-security/asa-sla-monitor/m-p/3358713#M308220 <P>Hi Experts</P> <P>&nbsp;</P> <P>SLA monitor is giving error on the ASA 9.9 running on Firepower 9300. Any advice, please?</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>LD6-ASA/oam-tenant-1(config)# sla mo?<BR />ERROR: % Unrecognized command<BR />LD6-ASA/oam-tenant-1(config)# sla mo</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Regards,</P> <P>Sumanta.</P> Sun, 01 Apr 2018 18:50:52 GMT https://community.cisco.com/t5/network-security/asa-sla-monitor/m-p/3358713#M308220 Sumanta Ghosh 2018-04-01T18:50:52Z