Re: IPSLA Return Code is Ok When line protocol is down

abhidev · ‎11-11-2017

Hi All,

I am seeing an Issue with IPSLA(http-raw-request) is returning with Return Code: OK even when the (Tunnel2030 is up, line protocol is down). My expectation is IPSLA Should fail when the line protocol is down.

Am I missing anything here or Is there any misconfig ? Does IPSLA fail when a system is down but able to Ping the IP? Please advice ASAP.

Device: Cisco 881

Meheretab Mengistu · ‎11-11-2017

Hi,

Please provide more information. Post your configuration related with IP SLA to start with.

HTH,
Meheretab

HTH,
Meheretab

abhidev · ‎11-12-2017

Hi @Meheretab Mengistu,

My main question is the way IPSLA works. The Issue here is services on the other end are not running so line protocol is down (Which is Correct), but would IPSLA pass when the IP address is reachable but services are not running ?(My expectation is It should fail).

Here is the config for your Info:

zs2#show ip interface brief | inc (Tun.*down*)

Tunnel740 10.65.65.XYZ YES TFTP up down

crypto isakmp peer address 104.129.204.XX

set aggressive-mode password XXXXXXX

set aggressive-mode client-endpoint user-fqdn vpnmon@ipsecmon.com

!

interface Tunnel770

ip unnumbered FastEthernet4

ip mtu 1400

ip tcp adjust-mss 1300

tunnel source FastEthernet4

tunnel mode ipsec ipv4

tunnel destination 104.129.XXX.XX

tunnel protection ipsec profile VTI

!

set ip next-hop verify-availability 104.129.XXX.XX 63 track 63

ip route 104.129.XXX.YY 255.255.255.255 Tunnel770 permanent

zs2#show ip sla statistics 63

IPSLAs Latest Operation Statistics

IPSLA operation id: 63

Latest RTT: 157 milliseconds

Latest operation start time: 18:24:57 UTC Sun Nov 12 2017

Latest operation return code: OK

Latest DNS RTT: 0 ms

Latest TCP Connection RTT: 82 ms

Latest HTTP Transaction RTT: 75 ms

Number of successes: 56

Number of failures: 0

Operation time to live: Forever

Georg Pauwen · ‎11-12-2017

Hello,

post the full configuration, we cannot see what your SLA looks like...

abhidev · ‎11-12-2017

Hi @Georg Pauwen

Here is the sample config I have followed:

ip dhcp excluded-address 172.17.0.128
!
ip dhcp pool ccp-pool
import all
network 172.17.0.0 255.255.255.0
dns-server 10.65.12.120
default-router 172.17.0.128
lease 0 2
!
!

track 1 ip sla 1
!
track 2 ip sla 2
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
lifetime 240
crypto isakmp keepalive 10 periodic
crypto isakmp nat keepalive 20
!
crypto isakmp peer address 10.65.25.3 <RunTime Config>
set aggressive-mode password admin
set aggressive-mode client-endpoint user-fqdn new@zvpn.net <Cloudlevel config>
!
crypto isakmp peer address 10.65.25.9 <RunTime Config>
set aggressive-mode password admin
set aggressive-mode client-endpoint user-fqdn new@zvpn.net <Cloudlevel config>
!
crypto ipsec transform-set myset esp-null esp-sha-hmac
crypto ipsec fragmentation after-encryption
!
crypto ipsec profile VTI
set security-association lifetime seconds 120
set transform-set myset
!
!
!
!
interface Tunnel200
ip unnumbered FastEthernet4
ip mtu 1400
ip tcp adjust-mss 1300
tunnel source FastEthernet4
tunnel mode ipsec ipv4
tunnel destination 10.65.25.3 <RunTime Config>
tunnel protection ipsec profile VTI
!
interface Tunnel300
ip unnumbered FastEthernet4
ip mtu 1400
ip tcp adjust-mss 1300
tunnel source FastEthernet4
tunnel mode ipsec ipv4
tunnel destination 10.65.25.9 <RunTime Config>
tunnel protection ipsec profile VTI

******Static config*****
!
interface FastEthernet0
switchport access vlan 2
!
interface FastEthernet1
switchport access vlan 2
!
interface FastEthernet4
description $ES_WAN$
ip address dhcp
ip access-group 100 in
ip access-group 100 out
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Vlan1
no ip address
!
interface Vlan2
ip address 172.17.0.128 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
ip policy route-map-tunnel
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list 120 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 10.96.19.254
*******Static**********

ip route 10.65.25.11<RunTime Config> 255.255.255.255 Tunnel200 permanent
ip route 10.65.25.11<RunTime Config> 255.255.255.255 Tunnel300 permanent
!
ip sla 1
http raw http://199.168.XX.XX:443<RunTime Config>
http-raw-request
GET http://gateway.beta.net/vpntest HTTP/1.0\r\n <Cloudlevel config>
User-Agent: Cisco IP SLA\r\n
end\r\n
\r\n
exit
threshold 300
timeout 5000
ip sla schedule 1 life forever start-time now
ip sla 2
http raw http://199.168.XX.XX:443<RunTime Config>
http-raw-request
GET http://gateway.beta.net/vpntest HTTP/1.0\r\n <Cloudlevel config>
User-Agent: Cisco IP SLA\r\n
end\r\n
\r\n
exit
threshold 300
timeout 5000
ip sla schedule 2 life forever start-time now
ip sla reaction-configuration 1 react rtt threshold-value 300 1 threshold-type consecutive 3
ip sla reaction-configuration 2 react rtt threshold-value 300 1 threshold-type consecutive 3
***********
access-list 100 permit ip any any
!
!
!
!
route-map-tunnel permit 10
match ip address 100
set ip next-hop verify-availability 10.65.25.9<RunTime Config> 1 track 1
set ip next-hop verify-availability 10.65.25.3<RunTime Config> 2 track 2
set interface Tunnel200 Tunnel300
!

Georg Pauwen · ‎11-12-2017

Hello,

the SLA monitors the HTTPS response from http://199.168.XX.XX:443. As long as that address is reachable and responds, it will report back as OK. Looking at your configuration, it appears that you are only sending traffic for host 10.65.25.11 through the tunnels, the rest (which includes the IP address you are monitoring) goes out FastEthernet4. So your response would only fail if FastEthernet4 goes down.

That said, is this the full configuration ? I don't see an access list 120 (the one you reference in your inside source NAT statement)...