Solved: Configuring IP SLA Monitor

rmorenobb · ‎10-25-2018

Hello,

I have a Site to Site VPN, and I'm unable to get the IP SLA Monitor I setup to keep the tunnel up.

I'm using Cisco FMC 6.2.2 with FTD HA Pair Cisco Firepower 2120 Threat Defense (77) Version 6.2.2.2 (Build 109)

Vendor is using AWS

I have an IP SLA Monitor configured

FMC Gui config

Name Vendor1

Frequency 5

SLA Mon ID 10

Timeout 5000

Data Size 28

Number of Packets 3

Monitor address 1.1.1.2

Selected Zone Outside

I then configured a static route

FMC gui config

Type IPV4

Interface Outside

Selected Network 1.1.1.2/32

Gateway 24.100.205.169

Metric 1

Route Tracking Vendor1

how it is in CLI

route Outside 1.1.1.2 255.255.255.255 24.100.205.169 1 track 1

This Vendor was previously peering with an old ASA 5525 we just moved it to the FMC firewall.

On the old ASA 5525 this was the SLA configuration for the same peer

Entry number: 4

Owner:

Tag:

Type of operation to perform: echo

Target address: 1.1.1.2

Interface: Outside

Number of packets: 3

Request size (ARR data portion): 28

Operation timeout (milliseconds): 5000

Type Of Service parameters: 0x0

Verify data: No

Operation frequency (seconds): 5

Next Scheduled Start Time: Start Time already passed

Group Scheduled : FALSE

Life (seconds): Forever

Entry Ageout (seconds): never

Recurring (Starting Everyday): FALSE

Status of entry (SNMP RowStatus): Active

Enhanced History:

There was no issue keeping up this peer on the old ASA 5525 but on the FMC it won't keep the tunnel up.

One thing to note, the vendor's host that we use to keep the peer up 1.1.1.2 doesn't reply, never has, even with the old ASA 5525, but that was never an issue keeping the tunnel up on the old ASA.

So if I were to do a manual ping

ping 1.1.1.2

I'd get zero replies

Trying to figure out how this can work successfully on the FMC/FTD config.

I have captures running, and I cannot see any packets generated for the sla monitor, I can see packets generated if I do a packet-trace for icmp, and that will obviously bring the tunnel up, but the tunnel won't stay up, goes inactive after around 30+ minutes since the SLA monitor isn't working.

Any ideas would be appreciated, thank you.

rmorenobb · ‎11-16-2018

The issue with the sla monitor not working, was specifically the crypto map protected networks.

Since the firewall would be kicking off the sla monitor, the source interface the fmc would use to initiate the sla monitor would need to be apart of the crypto map.

I found that with the old configuration of the tunnel (this peer was being moved from one asa to another) the protected networks was an "any". While I prefer not to use an any, that was the only way to get the sla monitor to work as designed. Per Cisco tac, they came to the same resolution.

So I adjusted the site to site vpn config to have an "any", and ensured there was a static route tied to the sla monitor, and deployed the config

After the deployment, the tunnel came up on its own, with the sla monitor, and has continued to stay up with no issues.

View solution in original post

rmorenobb · ‎10-30-2018

Still trying to get this one to work, unable to keep the tunnel up.

I can manually bring tunnel up with a packet trace, but it won't stay up.

I'm actually working with Cisco TAC on this, and their also having issues figuring this out.

rmorenobb · ‎11-16-2018

The issue with the sla monitor not working, was specifically the crypto map protected networks.

Since the firewall would be kicking off the sla monitor, the source interface the fmc would use to initiate the sla monitor would need to be apart of the crypto map.

I found that with the old configuration of the tunnel (this peer was being moved from one asa to another) the protected networks was an "any". While I prefer not to use an any, that was the only way to get the sla monitor to work as designed. Per Cisco tac, they came to the same resolution.

So I adjusted the site to site vpn config to have an "any", and ensured there was a static route tied to the sla monitor, and deployed the config

After the deployment, the tunnel came up on its own, with the sla monitor, and has continued to stay up with no issues.

tmarshall2132 · ‎01-25-2019

I have my config very similar to yours but my sla is being dropped. I'm sourcing my sla from the inside interface on my FTD. I'm just wondering if you did anything else to get this sla to work.

rmorenobb · ‎01-25-2019

Hi, yes, the crypto map for the peer that you're trying to keep up, the static route host ip must fall within that crypto map protected network otherwise the peer will not stay up as the static route has no ipsec acl tied to it.

For example this static route stays up with the IP sla monitor because the host IP is within the protected network configured on the peer, thus the peer will stay up

route Outside 172.11.12.129 255.255.255.255 174.175.165.129 1 track 1

> show crypto ipsec sa peer 55.8.196.17
peer address: 55.8.196.17
Crypto map tag: CSM_Outside_map, seq num: 1, local addr: 174.175.165.129

access-list CSM_IPSEC_ACL_2 extended permit ip any 172.11.0.0 255.255.0.0 <---- see this range the static IP falls within the static route so the static route will apply successfully

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.11.0.0/255.255.0.0/0/0)
current_peer: 55.8.196.17

So my peer is constantly up, since my fw is the initiator

IKE Peer: 55.8.196.17
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

if you're using the FMC Gui see the attached files

tmarshall2132 · ‎01-25-2019

I think my issue is the static route gateway. What address are you using as the gateway for the static route? It appear that you set the gateway has the outside interface ip address. That is not allowed. Am I missing something?

rmorenobb · ‎01-25-2019

The gateway is my outside interface IP on my internet router.