cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

5503
Views
5
Helpful
7
Replies
Highlighted
Beginner

ASA 5505 IP Sla monitor configuration

Hi all,

I need to configure redundant paths with static routing. I have two ASA Firewalls 5505 with ASA version 8.2(5). I want to know if these Firewalls ASA versions support IP Sla monitor configuration to have redundant routes, in my case the primary route will be in outside interface and the backup in the inside interface.

Is this configuration guide applicable for my Firewalls?

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118962-configure-asa-00.html

 

Regards,

Reynaldo Lopez

 

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted

i've not worked with asa versions older than 8.3

i think the config should be the same though - easiest way to check is type in the first line & see if it works

regards, mk

please rate if helpful or accept solution :)

View solution in original post

Highlighted
VIP Mentor

7 REPLIES 7
Highlighted
Participant

5505 does support ip sla - just type cmd sla monitor 1 to verify.

yes, you can track inside & outside routes too

regards, mk

please rate if helpful or solved :)

Highlighted
Participant

example config:

sla monitor 1
type echo protocol ipIcmpEcho 8.8.8.8 interface outside
num-packets 10
timeout 1000
frequency 5
sla monitor schedule 1 life forever start-time now
route outside 0.0.0.0 0.0.0.0 190.xxx.xxx.10 1 track 10
route inside 0.0.0.0 0.0.0.0 192.168.10.2 254
track 10 rtr 1 reachability

regards, mk

Highlighted
Participant

however, that document refers to version 9.x or later

regards, mk

Highlighted

Hi mk,

Thanks for the reply.

Would the commands you shared in the last reply apply to my ASAs version? Or there is another way to configure IP sla monitoring in earlier versions like mine?

Regards,

Reynaldo Lopez

Highlighted

i've not worked with asa versions older than 8.3

i think the config should be the same though - easiest way to check is type in the first line & see if it works

regards, mk

please rate if helpful or accept solution :)

View solution in original post

Highlighted
VIP Mentor

Highlighted

Guys - In those configuration examples, we are basically monitoring a destination in the Public Internet and using the outside interface to source it.

What if we want to monitor a destination which is reachable through a Site to Site VPN? I have configured it by using the inside interface to source it, but unfortunately this is not working. Below my config:

 

sla monitor 20
type echo protocol ipIcmpEcho 192.168.72.254 interface inside
frequency 5
sla monitor schedule 20 life forever start-time now

 

Unfortuntately, I'm getting timeouts as if traffic is not making it:

 

Entry number: 20
Modification time: 11:07:03.109 EST Thu Dec 19 2019
Number of Octets Used by this Entry: 2056
Number of operations attempted: 8031
Number of operations skipped: 8029
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: TRUE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): NoConnection/Busy/Timeout
Latest operation start time: 09:25:08.110 EST Fri Dec 20 2019
Latest operation return code: Timeout
RTT Values:
RTTAvg: 0 RTTMin: 0 RTTMax: 0
NumOfRTT: 0 RTTSum: 0 RTTSum2: 0

 

 

 

However, if I manually source the ping it works fine:

 

ASA# ping inside 192.168.72.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.72.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/8/10 ms

 

 

Kind Regards,

Content for Community-Ad