Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2682
Views
1
Helpful
3
Replies

IP SLA to check internet connectivity via ISA proxy server

ivanbarkic
Level 1
Level 1

‎11-21-2014 01:49 AM - edited ‎03-05-2019 12:12 AM

Hi,


I'm trying to implement IP SLA on router which should check internet connectivity via ISA server, which is proxy. I tried this two configurations:

!
ip sla 10
 http raw http://www.cisco.com source-ip 192.168.5.1 version 1.1 proxy http://192.168.255.2:8080
 http-raw-request
  GET /HTTP/1.0\r\n
  \r\n
  end
  exit
ip sla schedule 10 life forever start-time now
!


ip sla 10
 http raw http://www.cisco.com source-ip 192.168.5.1 proxy http://192.168.255.2:8080
 http-raw-request
  GET /en/US/hmpgs/index.htmlHTTP/1.0\r\n
  \r\n
  end
  exit
ip sla schedule 10 life forever start-time now

 

Both SLAs are succesful, but with Wireshark I can see that HTTP get request reaches ISA server, but no return traffic from the cisco.com is recieved on the WAN interface of the ISA server. Wireshark says for incoming GET packet "400 Bad Request. The data is invalid."

It looks like the ISA drops the connection. It seems ISA sees received HTTP GET coming not from the browser so it is not "real" http traffic.

How can I achive that HTTP GET request pass through the ISA and reach cisco.com web server. It doesn't have to be cisco.com. It can be any web site which is UP and running 24/7.

Thanks.

Labels:
Preview file
125 KB
Preview file
118 KB
0 Helpful
3 Replies 3

Vasilii Mikhailovskii
Level 7
Level 7

‎11-21-2014 06:24 AM

Hello.

I'm not sure if the GET request is correct.

Per http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipsla/configuration/15-mt/sla-15-mt-book/sla_http.html#GUID-61F9093A-B6BF-43E2-B6EB-9B0B7D72AFBE

you need:

http raw url http://192.168.255.2:8080
 http-raw-request
 GET http://www.cico.com HTTP/1.0\r\n
 \r\n
 end
0 Helpful

ivanbarkic
Level 1
Level 1
In response to Vasilii Mikhailovskii

‎11-21-2014 06:31 AM

Hi,

I've just done the version that works. The problem was also the fact that only authenticated users could pass ISA to reach certain web site. After adding access rule which allows unauthenticated users just for this SLA purpose I get working scenario just using this:

ip sla 10
 http get http://www.cisco.com source-ip 192.168.5.1 name-server 192.168.255.2 proxy http://192.168.255.2:8080
 timeout 2000
ip sla schedule 10 life forever start-time now

 

What seems to be a difference between this approach and using raw GET?

 

Regards

0 Helpful

TCAM
Level 1
Level 1
In response to ivanbarkic

‎10-08-2023 12:07 PM

Sorry to bring this back.  I used OP configs, it seems working but instead of getting status code "OK", i got "Http Error" as shown below.  I track ipsla to take an action, so status code needs to be OK.  Not sure how to resolve it, can someone shed some light on this?

ip sla 8
http get http://www.cisco.com source-ip x.x.x.x name-server y.y.y.y proxy http://my.proxy:8080
ip sla schedule 8 life forever start-time now
!

Pcap reveals that http error code = 301 signals a permanent redirect from one URL to another.

IPSLA operation id: 8
Latest RTT: 41 milliseconds
Latest operation start time: 14:59:07 EDT Sun Oct 8 2023
Latest operation return code: Http Error   <<<<<<< it is not OK
Latest DNS RTT: 6 ms
Latest TCP Connection RTT: 1 ms
Latest HTTP Transaction RTT: 34 ms
Number of successes: 0
Number of failures: 1
Operation time to live: Forever

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card