We have a network consisting of a central site and a few remote offices. The sites are all connected via MPLS and also have VPNs over ADSL / internet connections as a backup. The remote offices have Cisco 837 routers for the ADSL connections which we can manage but the MPLS routers are managed by the service provider providing the MPLS connections. At the central site we have a Cisco 891 for the the MPLS connection (which we manage) and a Cisco ASA5505 for the backup VPNs.

In order to implement failover from MPLS to VPN in the event of any MPLS line going down I have tried to use ip sla monitors and tracked objects on the 891 as per Cisco's documentation. The problem that I am finding is that I can't set the number of ICMP echo failures required before the tracked route is dropped. Whenever the ip sla monitor fails to get a response the tracked route is dropped immediately. This is too sensitive as packets are occasionally dropped which results in the routes bouncing back and forth between MPLS and VPN too frequently (disconnecting users in the process).

I have found a few posts on the internet about others having similar problems and them later posting that they have figured it out but they don't provide an example of how they did it!

I have tried different threshold types and values, tried configuring ip sla monitor reaction-triggers (although I don't understand what little documentation that I can find on this) and have even looked at event manager. I have been working on this for a few weeks now and am getting nowhere.

The Cisco ASA5505's implementation of ip sla monitor is much better in that it is possible to specify the number of packets but unfortunately we can't use the ASA as the default gateway for the LAN as the asymmetrical routing that occurs does not work with the firewall function of the ASA.

Has anybody come across this issue withh ip sla monitor on IOS and managed to get it working?