cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3306
Views
0
Helpful
4
Replies

ASA SLA monitor

ivanbarkic
Level 1
Level 1

Hi,

I am just curious how does SLA monitor on ASA work. As I understood and tested on GNS3, when configure SLA Monitor you have to specify outgoing interface and by that you are forcing packets (e.g. ICMP) out through specified interface (something that you have to do using local policy on routers).

Lets say we have configuration like this in scenario where we have two ISPs connected directly to ASA:

ASA:

sla monitor 1

type echo protocol ipIcmpEcho 8.8.8.8 interface outside1

frequency 5

sla monitor schedule 1 life forever start-time now

Now you need to track default route and you configure default route which is installed in routing table if sla monitor is UP:

route outside1 0.0.0.0 0.0.0.0 10.10.10.10 track 1

route outside2 0.0.0.0 0.0.0.0 20.20.20.20 254

My question is: how come that you need to configure default route for sla monitor 1 to work? You need the route which is tracked by SLA probe which requires that route to function? Isn't that chicken-egg thing? After putting default route on outside1 sla probe starts working, but the route is NOT installed for 60 sec (because it is default frequency) and all behavior after that is fine. Could be the case that SLA monitor process uses that route for itself in background even it is not still installed in routing table?

Analog example: if you issue ping x.x.x.x command on ASA and you don't have route to x.x.x.x you will get "No route to host x.x.x.x", but if you issue ping outside1 x.x.x.x you will get "?????". Does that mean that in second command ASA doesn't consult routing table?

On a router same scenario works using local policy which forces packets to go out on desired interface without default route. Default route is installed if SLA probe goes well.

I hope you'll understand my question(s) :-)

Thanks.

4 Replies 4

First off, you are missing a line of configuration in your SLA config:

track 1 rtr 1 reachability

how come that you need to configure default route for sla monitor 1 to work?

You do not need a default route for sla monitor to work.  You need a route to the destination you are trying to ping.  The track will install a route in the routing table when the condition is met.  this condition could be that as long as a host on your inside network is reachable keep this default route in the routing table (though this would not make sense of course, just an example).

if you issue ping x.x.x.x command on ASA and you don't have route to  x.x.x.x you will get "No route to host x.x.x.x", but if you issue ping  outside1 x.x.x.x you will get "?????". Does that mean that in second  command ASA doesn't consult routing table?

When you get ????? this means that you have a route in the routing table to the destination, but the destination is not reachable...for whatever reason.

--

Please rate all helpful posts

--
Please remember to select a correct answer and rate helpful posts

If i have specific route to some public IP then after switching to second ISP traffic towards that IP will still go on broken internet link, right?

Regarding ping outside1 x.x.x.x I do not have a route in the routing table.

Yes,  which is why it is best to use a default route.  Because then that route will be completely removed from the routing table and not interfere with routing of normal traffic.  But having said that, it is not a requirement, but a recommendation to get SLA working in a predictable manner.

Regarding ping outside1 x.x.x.x I do not have a route in the routing table.

In that case you have told the ASA through which interface it can reach the x.x.x.x IP, which is why you are receiving the ????? response.

--

Please rate all helpful posts.

--
Please remember to select a correct answer and rate helpful posts

Sumanta Ghosh
Level 1
Level 1

Hi Experts

 

SLA monitor is giving error on the ASA 9.9 running on Firepower 9300. Any advice, please?

 

 

LD6-ASA/oam-tenant-1(config)# sla mo?
ERROR: % Unrecognized command
LD6-ASA/oam-tenant-1(config)# sla mo

 

 

 

Regards,

Sumanta.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: