cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
374
Views
0
Helpful
0
Replies

Cisco ASA Tracked Route is Removed Unnecessarily

Luigi Celeste
Level 1
Level 1

Hi Everyone!

I have a problem with our Cisco ASA in our company. The question is quite simple.

We have our ASA configured in Active / Standby Failover with redundant links connected at two switches 3750 in HSRP for a better fault tolerance (This information are only for completeness, I don't think this kind of topology can be involved in our problem). They also connects eight brances via VPN L2L.You can see the image attached.

Always for a better fault tolerance, we have configured IPSLA between two service providers to ensure continuity when the primary fail. The problem is that, when network traffic is congested toward WAN side (we have a 8Mbit/s HDSL connection), the primary route it's removed unnecessarily. It remain down just the time for reset the connections, and became up again. During that time, all VPN L2L connections fails and the remote branches have to re-negotiate the tunnels again.

For troubleshooting purpose, I've configured syslog messages to an email address for IPSLA and Failover events, and every time the tracked route fail, I receive an email. Also I've configured Netflow to monitor the traffic behavior, and I use NAGIOS to monitor the reachability of our branches Firewalls. In this case, I ping my branches every seconds, end if NAGIOS don't receive a response for 15 seconds consecutively, I receive an email alert. When the ASA's tracked route fail, NAGIOS don't have neither the time to notice that remote branches are go down too that all tunnels have already became up.

Below there's my SLA configuration. I check Google DNS every 30 seconds with 20 ICMP packets. No ASA crash are reported. No failover occur. My ASA version is: 9.2(2)

 

sla monitor 1
 type echo protocol ipIcmpEcho 8.8.8.8 interface outside1
 num-packets 20
 frequency 30
sla monitor schedule 1 life forever start-time now

track 1 rtr 1 reachability

 

Thank's for reply.

 

Luigi Celeste

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: