topic Re: Understanding asa sla monitor in Network Security

Understanding asa sla monitor

adinef001 — Mon, 11 Mar 2019 16:34:31 GMT

Hi,

who can help me to understand how work sla monitor IpIcmpEcho parameters?

I have a problem with a Dual ISP configuration: the main one is connected to a DSL router while the backup router is an ISDN one.

I configured sla monitor in the way of cisco sample: num-packets 3 and frequency 10

But I have several isdn call on cisco isdn router without reason: I have to understand if there's a problem on the main DSL line or if there's a problem about bad sla monitor working.

Frequency parameter is clear: asa poll target IP every 10 seconds.

But how work num-packets 3 parameter? It send 3 packet and want 3 good response or want at least one good response?

There's another parameter: timeout. We can configure one general timeout and a particular value for every kind of service. How does it work?

Thanks a lot in advance.

Francesco

Re: Understanding asa sla monitor

mkharban — Fri, 30 Oct 2009 18:29:03 GMT

Hi Francesco,

You are correct with num-packet parameter. It indicates that the firewall will give 3 tries to check if the primary connection is active else an ISP fallback will be performed.

Also timeout value in sla monitor is the time in which firewall will wait after sending a num-packet before sending another one.

Please find a relative document for the same:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1401771

Please let me know if this answers your query.

Regards,

Manish

Re: Understanding asa sla monitor

adinef001 — Sun, 01 Nov 2009 16:55:30 GMT

Hi Manish,

thanks a lot for your quick clear answer.

Can you tell me which is the difference from timeout parameter (the general one) and particular service timeout parameter?

thank you

francesco

Re: Understanding asa sla monitor

Pravin Phadte — Mon, 02 Nov 2009 14:18:46 GMT

As per my testing so far this is how it works.

Defaine route with track:

route outside 0.0.0.0 0.0.0.0 1.1.1.10 1 track 1

This is the route which would be primary and would be tracked.

----

sla monitor 100

type echo protocol ipIcmpEcho (IP Address which you want to track) interface outside

This depends i used the default ip address of the ISP since i need to track if the default gateway is not reachable the route needs to be shifted to backup line.

You need to be carefull with this if you have a router connected to the interface and track the ip of that router it would see the icmp response and shift to backup line.

num-packets 5

frequency 30

I sent 5 packet to get responce from default gateway in 30 seconds. If i losse all 5 i shfit to backup line.

IMP= If there is no response from default gateway for next 30 sec the line will remain on backup.

if it responds to 1 packets out of 5 the line shifts to primary line.

You need to set these timeres depdning on you requirements. If the primary line is bad it will keep on shifting bettwen both lines.

I do not use timeout.

Timeout is in ms and can be used in varios paramters.

You are looking for only ISP redudancy and should concentrate more on test by setting these 2 parametes.

Srongly suggest that you need to test you configs.

1. Test by shuting down the interface and see how much time it takes to move to backup.

2. No shut and see how much time it takes to reset to primary line.

3. Switch off the modem and see how the line shifts to backup. (The key is what you are monitroing)

As per your configs if you lost 1 packet in 10 seconds your line will shfit.