Solved: Hi

Dean Romanelli · ‎05-09-2016

Hi All,

I have a branch with two site to site VPN tunnels to the data center, controlled via IP SLA. The target address I am pinging for the SLA evaluation is a public address. However, there are times where my VPN tunnel will go down but for reasons other than the ISP line being down. When that happens, the SLA still gets a response from the target since the ISP line is still up and the target is a public address, so my line does not fail over.

Question: Can I make my SLA target address a private address (i.e. the VPN hub LAN facing IP in my data center) instead of a public address on an ASA? That way, if the VPN goes down, my pings to the data center LAN will drop and I should fail over, even if the primary ISP line itself at the branch isn't down.

Mark Malone · ‎05-09-2016

Hi

Yes once you have reachability to the ip yes it can be the target , usually when using ip sla I always try target something upstream rather than any ip on the ISP link itself to be sure as you said for issue's like you face that it fails over when it cant reach behind the router to LAN clients , target something only that link has access to that way it has to go right over the link and hit the destination , private or public doesn't matter once you can ping it through sla

View solution in original post

Mark Malone · ‎05-09-2016

Hi

Yes once you have reachability to the ip yes it can be the target , usually when using ip sla I always try target something upstream rather than any ip on the ISP link itself to be sure as you said for issue's like you face that it fails over when it cant reach behind the router to LAN clients , target something only that link has access to that way it has to go right over the link and hit the destination , private or public doesn't matter once you can ping it through sla

Can IP SLA Target (icmp-echo) on ASA be a private Address?