Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1506
Views
0
Helpful
4
Replies

IP SLA tracking on Destination Latency

Chaitanya Krishna Narra
Level 1
Level 1

‎09-11-2017 03:44 AM - edited ‎02-21-2020 06:17 AM

Hi,

 

Could someone please suggest me, the configuration to monitor Latency thersholds to our VoIP destination using SLA monitors, for ISP failover. 

 

I am using ASA - 5516x with two ISP providers connected on Firewall.

 

We are routing default route on ISP - 1, to provide internet access and configured SLA tracking on default route for ISP failover, to switch over the internet traffic on ISP - 2 on failure of track 4.

 

 

We are routing our VoIP traffic on ISP - 2, by configuring SLA tracking on Static routes to our VoIP destination for ISP failover, to switch over the VoIP traffic on ISP - 1 on failure of track 8.

 

We are able to achieve the ISP failovers for internet and VoIP traffic, during the loss of connection to 4.2.2.2 or 8.8.8.8.

 

The problem is, we are facing high letency issue on ISP - 2 to reach our VoIP destination and causing the issue, on breackages in VoIP calls.

 

Example: If we get latency on ISP - 2 upto 300 ms to reach our VoIP destination, the SLA track must down and traffic should failover on ISP - 1.

 

We are using SLA monitors for ISP tracking as given below:

 

  • sla monitor 4
     type echo protocol ipIcmpEcho 4.2.2.2 interface reliance
     num-packets 4
     frequency 5
  • sla monitor schedule 4 life forever start-time now
  • track 4 rtr 4 reachability
  • sla monitor 8
     type echo protocol ipIcmpEcho 8.8.8.8 interface Tata
     num-packets 4
     frequency 5
  • sla monitor schedule 8 life forever start-time now
  • track 8 rtr 8 reachability
1 person had this problem
Labels:
0 Helpful
4 Replies 4

jumora1
Level 1
Level 1

‎09-11-2017 11:08 AM

The monitoring option are on the next link:

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118962-configure-asa-00.html

 

But SLA is not the best tool for VoIP traffic.

 

I would suggest to provide me with the configuration with a show tech or open a ticket with TAC to see if there is any type of errors seen on the interfaces involved and then check logs on the client side an on the VoIP provider to see if there is anything in particular that you see in errors.

 

SLA can flop traffic back and forward and for VoIP traffic that is so sensitive this is not a good option. 

 

Also check timeout floating on the ASA 

 

• timeout floating-conn hh:mm:ss—When multiple static routes exist to a network with different metrics, the ASA uses the one with the best metric at the time of connection creation. If a better route becomes available, then this timeout lets connections be closed so a connection can be reestablished to use the better route. The default is 0 (the connection never times out). To take advantage of this feature, change the timeout to a new value between 0:1:0 and 1193:0:0. • timeout pat-xlate hh:mm:ss—The idle time until a PAT translation slot is freed, between 0:0:30

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/firewall/asa-firewall-cli/conns-connlimits.pdf

Security Engineer
juanmh8419@gmail.com
Skype: juanmh8419@hotmail.com
0 Helpful

Chaitanya Krishna Narra
Level 1
Level 1
In response to jumora1

‎09-11-2017 08:06 PM

Hi Jumora,

 

Thanks for your responce and suggetions to my query.

we have observed, no errors on Firewall interfaces which the ISP and LAN network has connected.

Also, we are not facing the latency issue everytime and it is hitting during the traffic congestion on ISP only, as we observe high latency on ISP in our monitoring system during the issue.

 

I couldn't find the configuration related to configure SLA monitor using latency thresholds, in provided URL and it contains the configuration related to Frequency time to monitor and number of packets.

Could you please help me to configure the SLA monitor using latency thresholds to destination.

 

0 Helpful

jumora1
Level 1
Level 1
In response to jumora1

‎09-12-2017 04:35 AM

I'm not sure if thresholds could you get into sla monitor configuration and run a question mark to see if this option is available, you could also check this via ASDM.
Security Engineer
juanmh8419@gmail.com
Skype: juanmh8419@hotmail.com
0 Helpful

jumora1
Level 1
Level 1
In response to jumora1

‎09-14-2017 05:22 AM

I'm not sure if thresholds are supported, could you get into sla monitor configuration and run a question mark to see if this option is available, you could also check this via ASDM.

Security Engineer
juanmh8419@gmail.com
Security Engineer
juanmh8419@gmail.com
Skype: juanmh8419@hotmail.com
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card