02-25-2014 11:16 AM - edited 03-11-2019 08:50 PM
Hello:
I have an ASA 5525 connected to an ISP. I've configured a static default route, and tracking the ISP gateway with IP SLA, and using the IP SLA default tracking metrics:
route outside 0.0.0.0 0.0.0.0 192.168.0.2 1 track 1
sla monitor 1
type echo protocol ipIcmpEcho 192.168.0.2 interface outside
sla monitor schedule 1 life forever start-time now
track 1 rtr 1 reachability
If I do an 'show ip sla monitor configuration', we get some details:
asa1-5525# sho sla monitor configuration
SA Agent, Infrastructure Engine-II
Entry number: 1
Owner:
Tag:
Type of operation to perform: echo
Target address: 192.168.0.2
Interface: outside
Number of packets: 1
Request size (ARR data portion): 28
Operation timeout (milliseconds): 5000
Type Of Service parameters: 0x0
Verify data: No
Operation frequency (seconds): 60
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Enhanced History:
So far, so good. Well... not really. I have several complaints that the default route drops frequently. I've confirmed with the ISP that the circuit is healthy, albeit a bit congested at times. My theory is that the SLA traffic is getting dropped during the times of congestion, resulting in the drop of the defaut route. I've pretty much confirmed this with the 'show track' output:
asa1-5525# sho track
Track 1
Response Time Reporter 1 reachability
Reachability is Up
281 changes, last change 1d01h
Latest operation return code: OK
Latest RTT (millisecs) 1
Tracked by:
STATIC-IP-ROUTING 0
So, let's get back to the IP SLA metrics. If I'm reading the output correctly, I'm sending one ping every 60 seconds. That said, this is my question: does this mean that if I don't receive back that single ping, the route gets dropped?! From a single packet loss? If that's true, that is clearly unacceptable. What I would like to know is how to setup IP SLA where I 'send 3 pings over 30 seconds, and if I get back an echo response from at least one of those pings, I keep the default route active.' Is there a way to configure this?
Thanks.
02-25-2014 11:48 PM
Hi,
I have personally only used IP SLA on Routers and on the ASA only for testing purposes here on the CSC so I have not really had to do that much modification in the settings
You might however want to change the "num-packets" setting and perhaps change the "timeout" setting though that by default is already 5000ms
You would be entering these values when you enter the following command
type echo protocol ipIcmpEcho 192.168.0.2 interface outside
You will be entered into a new configuration mode where you can use the "?" to check your options on what values to use. But the main thing you probably want to test out is change the "num-packets" value to something higher than the default value of 1
Here is links to Command Reference for the "num-packets" and "timeout" commands
num-packets
http://www.cisco.com/c/en/us/td/docs/security/asa/command-reference/cmdref/n.html#pgfId-1815481
timeout
http://www.cisco.com/c/en/us/td/docs/security/asa/command-reference/cmdref/t1.html#pgfId-1569025
- Jouni
02-26-2014 10:59 AM
Jouni, thanks for the recommendation. That said, like the documentation, this somewhat avoids directly answering my question. Let me ask this way: if I increased the "num-packets" to 6, how many of those packets need to sucessfully reply in order to maintain the route in the routing table? All of them? One of them? 3 of them? This information, for some reason, seems allusive.
07-04-2014 07:09 PM
Did you ever solve this issue? I have similar problems with my ASA and my ISP.
07-09-2014 01:08 PM
I have yet to get a specific answer.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide