Hi all,
I've got an ASA5555-X running 9.2(3)4 that's got two tunnels to our AWS VPC. That all works perfectly and the internal LANs have access to and from the VPC EC2 instances. All good.
However, during the evening when the traffic goes quiet the tunnel drops and as per AWS' documents I've been trying to get IPSLA working to keep the tunnel up.
I have a local route on the ASA pointing the VPC CIDR via the outside interface's default gateway and from the ASA if I "ping inside <VPC_target_IP>" it replies ok.
So I've tried to get the SLA running with:
sla monitor 1
type echo protocol ipIcmpEcho <AWS_VPC_Target_IP> interface inside
frequency 5
But this doesn't work...
Entry number: 1
Modification time: 21:08:53.035 GMT/BST Tue Nov 17 2015
Number of Octets Used by this Entry: 2056
Number of operations attempted: 5664
Number of operations skipped: 5663
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: TRUE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): NoConnection/Busy/Timeout
Latest operation start time: 12:52:33.035 GMT/BST Wed Nov 18 2015
Latest operation return code: Timeout
RTT Values:
RTTAvg: 0 RTTMin: 0 RTTMax: 0
NumOfRTT: 0 RTTSum: 0 RTTSum2: 0
Changing the interface to 'outside' also doesn't work - same result.
If I run the monitor from my outside interface to the VPN peer addresses in AWS then it works fine but this is routing outside of the tunnel so the tunnel doesn't stay up - the crypto counters don't change.
I'm at a loss - I can source a ping on my inside interface to the VPC target and that works, so why won't IPSLA from the inside interface also work?
Thanks in advance for any pointers.
JB.
