cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2714
Views
0
Helpful
4
Replies

IP SLA Detail Question on ASA 9.0

s-daly
Level 1
Level 1

Hello:

I have an ASA 5525 connected to an ISP. I've configured a static default route, and tracking the ISP gateway with IP SLA, and using the IP SLA default tracking metrics:

route outside 0.0.0.0 0.0.0.0 192.168.0.2 1 track 1

sla monitor 1

type echo protocol ipIcmpEcho 192.168.0.2 interface outside

sla monitor schedule 1 life forever start-time now           

track 1 rtr 1 reachability

If I do an 'show ip sla monitor configuration', we get some details:

asa1-5525#  sho sla monitor configuration

SA Agent, Infrastructure Engine-II

Entry number: 1

Owner:

Tag:

Type of operation to perform: echo

Target address: 192.168.0.2

Interface: outside

Number of packets: 1

Request size (ARR data portion): 28

Operation timeout (milliseconds): 5000

Type Of Service parameters: 0x0

Verify data: No

Operation frequency (seconds): 60

Next Scheduled Start Time: Start Time already passed

Group Scheduled : FALSE

Life (seconds): Forever

Entry Ageout (seconds): never

Recurring (Starting Everyday): FALSE

Status of entry (SNMP RowStatus): Active

Enhanced History:

So far, so good. Well... not really. I have several complaints that the default route drops frequently. I've confirmed with the ISP that the circuit is healthy, albeit a bit congested at times. My theory is that the SLA traffic is getting dropped during the times of congestion, resulting in the drop of the defaut route. I've pretty much confirmed this with the 'show track' output:

asa1-5525#  sho track

Track 1

  Response Time Reporter 1 reachability

  Reachability is Up

  281 changes, last change 1d01h

  Latest operation return code: OK

  Latest RTT (millisecs) 1

  Tracked by:

    STATIC-IP-ROUTING 0

So, let's get back to the IP SLA metrics. If I'm reading the output correctly, I'm sending one ping every 60 seconds. That said, this is my question: does this mean that if I don't receive back that single ping, the route gets dropped?! From a single packet loss? If that's true, that is clearly unacceptable. What I would like to know is how to setup IP SLA where I 'send 3 pings over 30 seconds, and if I get back an echo response from at least one of those pings, I keep the default route active.' Is there a way to configure this?

Thanks.

4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

I have personally only used IP SLA on Routers and on the ASA only for testing purposes here on the CSC so I have not really had to do that much modification in the settings

You might however want to change the "num-packets" setting and perhaps change the "timeout" setting though that by default is already 5000ms

You would be entering these values when  you enter the following command

type echo protocol ipIcmpEcho 192.168.0.2 interface outside

You will be entered into a new configuration mode where you can use the "?" to check your options on what values to use. But the main thing you probably want to test out is change the "num-packets" value to something higher than the default value of 1

Here is links to Command Reference for the "num-packets" and "timeout" commands

num-packets

http://www.cisco.com/c/en/us/td/docs/security/asa/command-reference/cmdref/n.html#pgfId-1815481

timeout

http://www.cisco.com/c/en/us/td/docs/security/asa/command-reference/cmdref/t1.html#pgfId-1569025

- Jouni

Jouni, thanks for the recommendation. That said, like the documentation, this somewhat avoids directly answering my question. Let me ask this way: if I increased the "num-packets" to 6, how many of those packets need to sucessfully reply in order to maintain the route in the routing table? All of them? One of them? 3 of them? This information, for some reason, seems allusive.

Did you ever solve this issue? I have similar problems with my ASA and my ISP.

I have yet to get a specific answer.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: