Hello community !

I am trying to build an IPSEC tunnel with a remote site using ASA Firepower, latest IOS installed.

Additionally, I need to configure a track object with ICMP echo checks sent to the inside of the remote far-end in order to check the actual status of the IPSEC.

That means that I want to have the ASA generate local traffic, travel through the IPSEC and get a response back

I know already that there is a common practice to create track objects by checking the IPSEC peer but for me, it is not enough. In my experience, there are moments where the IPSEC is stuck, but the peer responds back as in a normal condition.

However, a ping request on the inside of the Remote Inside of the IPSEC tunnel will fulfill the requirement

After spending almost 3 days trying to find the correct command set in ASA, I realized that there is no "source" command in the sla monitor command

type echo protocol ipIcmpEcho 20.20.20.1 interface inside

That means that the ICMP packets will always follow the best output path and the best route on egress interface without having any chance to get into the IPSEC tunnel

So I'd like to ask experts here:

Is there any alternative to dynamically alter the routing table when the tunnel is "really" down ?

Regards,

Anastasios