11-27-2013 12:41 AM - edited 03-11-2019 08:10 PM
Hi,
I am just curious how does SLA monitor on ASA work. As I understood and tested on GNS3, when configure SLA Monitor you have to specify outgoing interface and by that you are forcing packets (e.g. ICMP) out through specified interface (something that you have to do using local policy on routers).
Lets say we have configuration like this in scenario where we have two ISPs connected directly to ASA:
ASA:
sla monitor 1
type echo protocol ipIcmpEcho 8.8.8.8 interface outside1
frequency 5
sla monitor schedule 1 life forever start-time now
Now you need to track default route and you configure default route which is installed in routing table if sla monitor is UP:
route outside1 0.0.0.0 0.0.0.0 10.10.10.10 track 1
route outside2 0.0.0.0 0.0.0.0 20.20.20.20 254
My question is: how come that you need to configure default route for sla monitor 1 to work? You need the route which is tracked by SLA probe which requires that route to function? Isn't that chicken-egg thing? After putting default route on outside1 sla probe starts working, but the route is NOT installed for 60 sec (because it is default frequency) and all behavior after that is fine. Could be the case that SLA monitor process uses that route for itself in background even it is not still installed in routing table?
Analog example: if you issue ping x.x.x.x command on ASA and you don't have route to x.x.x.x you will get "No route to host x.x.x.x", but if you issue ping outside1 x.x.x.x you will get "?????". Does that mean that in second command ASA doesn't consult routing table?
On a router same scenario works using local policy which forces packets to go out on desired interface without default route. Default route is installed if SLA probe goes well.
I hope you'll understand my question(s) :-)
Thanks.
11-27-2013 01:09 AM
First off, you are missing a line of configuration in your SLA config:
track 1 rtr 1 reachability
how come that you need to configure default route for sla monitor 1 to work?
You do not need a default route for sla monitor to work. You need a route to the destination you are trying to ping. The track will install a route in the routing table when the condition is met. this condition could be that as long as a host on your inside network is reachable keep this default route in the routing table (though this would not make sense of course, just an example).
if you issue ping x.x.x.x command on ASA and you don't have route to x.x.x.x you will get "No route to host x.x.x.x", but if you issue ping outside1 x.x.x.x you will get "?????". Does that mean that in second command ASA doesn't consult routing table?
When you get ????? this means that you have a route in the routing table to the destination, but the destination is not reachable...for whatever reason.
--
Please rate all helpful posts
11-27-2013 02:11 AM
If i have specific route to some public IP then after switching to second ISP traffic towards that IP will still go on broken internet link, right?
Regarding ping outside1 x.x.x.x I do not have a route in the routing table.
11-27-2013 02:16 AM
Yes, which is why it is best to use a default route. Because then that route will be completely removed from the routing table and not interfere with routing of normal traffic. But having said that, it is not a requirement, but a recommendation to get SLA working in a predictable manner.
Regarding ping outside1 x.x.x.x I do not have a route in the routing table.
In that case you have told the ASA through which interface it can reach the x.x.x.x IP, which is why you are receiving the ????? response.
--
Please rate all helpful posts.
04-01-2018 11:50 AM
Hi Experts
SLA monitor is giving error on the ASA 9.9 running on Firepower 9300. Any advice, please?
LD6-ASA/oam-tenant-1(config)# sla mo?
ERROR: % Unrecognized command
LD6-ASA/oam-tenant-1(config)# sla mo
Regards,
Sumanta.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide