Hi Will,I think as per the

Will Phinney · ‎06-12-2015

Good morning everyone,

I'm having an issue with a cloud provider that will not allow traffic to be initiated from their end on a certain SA.I did the debug 1(27) and see my ASA reaching out and them essentially timing out. I've read about this and even TAC confirmed what I was seeing, so the only fix is to initiate a ping from the box itself as I'm only allowing one specific host to this cloud, as it runs through a hub and spoke VPN. The box in question is a linux box that I don't have access to, so if it were ever to stop then that SA would come down. I was thinking about doing an SLA from the far end ASA, but I you can't do a specific source SLA on an ASA, correct? I realize I could open it up to the entire range, but was wondering if anyone had any thoughts on this?

Thanks!

Vibhor Amrodia · ‎06-13-2015

Hi Will,

I think as per the requirement , you want the traffic to be initiated from the ASA outside interface for the tunnel to stay up. I think if you configure the SLA in the Outside interface that should generate the necessary ICMP request to keep the tunnel UP and you can change destination as the VPN peer.

Thanks and Regards,

Vibhor Amrodia

Will Phinney · ‎06-15-2015

Right, but that's assuming I'm allowing all traffic from a certain segment. For example, if I'm only NAT'ing a specific host, say 10.13.20.5 to 10.5.0.0, then I would have to open up to all of 10.13.20.x/24 as I don't believe there is a way to setup an SLA to source from just 10.13.20.5,correct?

Sla from a specific IP