06-12-2015 07:33 AM - edited 03-11-2019 11:06 PM
Good morning everyone,
I'm having an issue with a cloud provider that will not allow traffic to be initiated from their end on a certain SA.I did the debug 1(27) and see my ASA reaching out and them essentially timing out. I've read about this and even TAC confirmed what I was seeing, so the only fix is to initiate a ping from the box itself as I'm only allowing one specific host to this cloud, as it runs through a hub and spoke VPN. The box in question is a linux box that I don't have access to, so if it were ever to stop then that SA would come down. I was thinking about doing an SLA from the far end ASA, but I you can't do a specific source SLA on an ASA, correct? I realize I could open it up to the entire range, but was wondering if anyone had any thoughts on this?
Thanks!
06-13-2015 06:48 PM
Hi Will,
I think as per the requirement , you want the traffic to be initiated from the ASA outside interface for the tunnel to stay up. I think if you configure the SLA in the Outside interface that should generate the necessary ICMP request to keep the tunnel UP and you can change destination as the VPN peer.
Thanks and Regards,
Vibhor Amrodia
06-15-2015 07:26 AM
Right, but that's assuming I'm allowing all traffic from a certain segment. For example, if I'm only NAT'ing a specific host, say 10.13.20.5 to 10.5.0.0, then I would have to open up to all of 10.13.20.x/24 as I don't believe there is a way to setup an SLA to source from just 10.13.20.5,correct?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide