cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1189
Views
0
Helpful
14
Replies

ASA SLA

I have a remote ASA I'm trying to setup an SLA to monitor a single IP on the other side of a IPSEC Tunnel I have built. I can ping the IP fine from the remote ASA.

I'm using the following commands:

sla monitor 100
  type echo protocol ipIcmpEcho address interface inside
  timeout 300
  frequency 3
sla monitor schedule 100 life forever start-time now

When I run a 'show sla monitor oper 100' I get:

Entry number: 100
Modification time: 14:26:55.266 CDT Wed Apr 20 2016
Number of Octets Used by this Entry: 1480
Number of operations attempted: 22109
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: TRUE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): NoConnection/Busy/Timeout
Latest operation start time: 08:52:19.260 CDT Thu Apr 21 2016
Latest operation return code: Timeout
RTT Values:
RTTAvg: 0       RTTMin: 0       RTTMax: 0
NumOfRTT: 0     RTTSum: 0       RTTSum2: 0

What am I missing? as I said, a 'ping inside address' to the remote host works fine.

Thanks.

14 Replies 14

Aditya Ganjoo
Cisco Employee
Cisco Employee

Hi Charlie,

Could you please share the output of show cry ipsec sa peer <remote peer IP> and show run sla monitor ?

Regards,

Aditya

Please rate helpful posts.

show cry ipsec sa peer x.x.x.x

peer address: x.x.x.x
    Crypto map tag: outside_map, seq num: 1, local addr: x.x.x.x

      access-list outside_1_cryptomap extended permit ip 10.110.0.0 255.255.254.0 any
      local ident (addr/mask/prot/port): (10.110.0.0/255.255.254.0/0/0)
      remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      current_peer: 74.118.144.20

      #pkts encaps: 84167611, #pkts encrypt: 83815573, #pkts digest: 83815575
      #pkts decaps: 82983265, #pkts decrypt: 82983261, #pkts verify: 82983261
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 84167614, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 7865, #pre-frag failures: 359886, #fragments created: 15730
      #PMTUs sent: 359886, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 1, #recv errors: 2

      local crypto endpt.: 4.14.16.134, remote crypto endpt.: 74.118.144.20

      path mtu 1400, ipsec overhead 74, media mtu 1500
      current outbound spi: B60AA40D
      current inbound spi : E70E807A

    inbound esp sas:
      spi: 0xE70E807A (3876487290)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 5, }
         slot: 0, conn_id: 135168, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (2930383/24654)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xB60AA40D (3054150669)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 5, }
         slot: 0, conn_id: 135168, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3554141/24654)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Hi Charlie,

Seems like an AMAZON tunnel config  :)

Anyways could you provide the following debugs:

debug sla monitor trace
debug sla monitor error

Use undebug all to stop the debugs.

Regards,

Aditya

No idea what you mean by the AMAZON tunnel config, but I'll take your word for it.

I see this in the logs.
6|Apr 21 2016 09:46:07|110003: Routing failed to locate next hop for icmp from NP Identity Ifc:10.110.0.1/0 to inside:10.170.14.51/0

yet the system is reachable.

Hi Charlie,

Do you have Management-access inside command configured ?

Regards,

Aditya

Yes sir.

'management-access inside'

Hi,

Please share the show version of the ASA.

8.2(5)

Hi Charlie,

I think this may not work as there is already an enhancement request filed for this :

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCtn29607/?reffering_site=dumpcr

Regards,

Aditya

Please rate helpful posts.

Hi Charlie,

I would request to close the discussion in case your query has been answered.

Regards,

Aditya

Yes. Thanks. I'm looking into the link you posted.

show run sla mon
sla monitor 100
 type echo protocol ipIcmpEcho 10.170.14.51 interface inside
 timeout 300
 frequency 3
sla monitor schedule 100 life forever start-time now

Hello Charlie,

Quickquestion, the route that is configured in the ASA to reach the remote host, is it configures using the outside or inside interface? 

For example:

route outside remotehost 255.255.255.255 x.x.x.x

Or

route inside remotehost 255.255.255.255 x.x.x.x

Neither.

I have a basic default route pointing to my ISP, and all traffic except the tunnel itself is forwarded by the tunnel to the remote side.

The system in question is reachable.

Review Cisco Networking for a $25 gift card