Best Practice for ASA Route Monitoring Options?

snoopyren · ‎10-23-2012

We have one pair Cisco ASA 5505 located in different location and there are two point to point links between those two locations, one for primary link (static route w/ low metric) and the other for backup (static route w/ high metric). The tracked options is enabled for monitoring the state of the primary route. the detail parameters regarding options as below,

Frequency: 30 seconds Data Size: 28 bytes

Threshold: 3000 milliseconds Tos: 0

Time out: 3000 milliseconds Number of Packets: 8

------ show run------

sla monitor 1

type echo protocol ipIcmpEcho 10.200.200.2 interface Intersite_Traffic

num-packets 8

timeout 3000

threshold 3000

frequency 30

sla monitor schedule 1 life forever start-time now

------ show run------

I'm not sure if the setting is so sensitive that the secondary static route begins to work right away, even when some small link flappings occur.

What is the best practice to set those parameters up in the production environment. How can we specify the reasonanble monitoring options to fit our needs.

Thank you for any idea.

Julio Carvajal · ‎10-23-2012

Hello,

Right now you are saying send 8 packets every 30 seconds, and for failover to happen you got to miss 8 packets.

I will prefer to use the default setup num-packets 3 frequency 10 so failover happens as fast as possible.

You could change it as your preference,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

snoopyren · ‎10-23-2012

Valid values for Frequency range from 1 to 604800 seconds. The default value is 60 seconds.

Number of Packets, which allows you to choose the number of echo requests to send for each test.Valid values range from 1 to 100. The default value is 1.

My concern is if the settings are too sensitive for some unnecessary failover. what is the effect when we tune those parameters up?

Thanks Julio

Julio Carvajal · ‎10-23-2012

Hello,

Of course too sensitive might cause failover to happen when some packets get lost, but remember the whole purpose of this is to provide as less downtime to your network as possible,

Now if you tune these parameters what happen is that failover will be triggered on a different time basis.

This is taken from a cisco document ( If you tune the sla process as this states, 3 packets will be sent each 10 seconds, so 3 of them need to fail to SLA to happen) This CISCO configuration example looks good but there are network engineers that would rather to use a lower time-line than that.

sla monitor 123
 type echo protocol ipIcmpEcho 10.0.0.1 interface outside
 num-packets 3
 frequency 10

Regards,

Remember to rate all of the helpful posts ( If you need assistance knowing how to rate a post just let me know )

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

snoopyren · ‎10-23-2012

Thanks Jilio,

I agree with you. But what is the guidelinefor those settings and how I can choose good value for Timeout?

Julio Carvajal · ‎10-23-2012

Hello,

That's your decision, Guideline is the one Cisco provides, from there you can determine what is good for you and what is not.

Regards,

Remember to rate all of the helpful posts ( If you need assistance knowing how to rate a post just let me know

)

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC