Working in Network Security for a service provider, we are often asked to monitor connections for which we have no administrative access. Examples of this are leased-line connections like MPLS circuits, but could also be extended to VPN tunnels. This article describes how to use an SLA monitor on a Cisco ASA in combination with syslog messaging to provide a "push" notification that an event has occurred that has caused the SLA monitor to fail or recover.
In this example, let's presume a simple topology where the ASA has a INSIDE and DMZ segment. There is an MPLS circuit attached to the INSIDE VLAN.
Configure an SLA monitor that sources from the ASA on the INSIDE interface and ping monitors the host at 192.168.10.45, which is on the remote end of the MPLS circuit
Configure a "fake" static route that utilizes the SLA monitor
Identify the syslog messages generated by SLA failure or recovery events
Refer to the above topology for the following configuration
sla monitor 10
type echo protocol ipIcmpEcho 192.168.10.45interfaceinside
sla monitor schedule 10life forever start-time now
track 1rtr 10reachability
Note that we are using APIPA address space (169.254.0.0/16 - RFC 3330) to avoid creating any static route that could interfere with local or remote networks.
! Bogus route to track ensures syslog message 622001is generated
The syslog server will need to filter on the following syslog messages. A syslog collector such as Kiwi or a more sophisticated system like Zenoss or Splunk can filter on these messages and trigger actions such as sending emails, sending text messages, or generating tickets, etc. In addition to the syslog collector, one could also configure an EEM action on the ASA responding to these syslog messages/events. The configuration provided will generate syslog message 622001 for both the failure and recovery events.
Syslog Messages Host DOWN
Mar 15201817:46:08FW-ASA: %ASA-6-622001: Removing tracked route 169.254.0.125184.108.40.206192.168.10.45, distance 1, table Default-IP-Routing-Table, on interfaceinside
Syslog Messages Host UP
Mar 15201817:43:33FW-ASA: %ASA-6-622001: Adding tracked route 169.254.0.125220.127.116.11192.168.10.45, distance 1, table Default-IP-Routing-Table, on interfaceinside
While this kind of configuration is not what SLA monitors were designed for, we can leverage this functionality and a bogus static route to create a syslog event for which we can push reachability changes. This is often useful when dealing with a 3rd party provider to which we have no access to the leased line provider's monitoring tools or telemetry, or where traditional monitoring methods like SNMP are not available.
One could set up a number of the monitors for multiple circuits and associate the static route APIPA address with each leased line and then, using the syslog filtering action features, create custom alerts that could contain the circuit ID, common name, contact phone numbers, and other useful information.
customer is managing all school students/schools in the country. currently they provide internet access to students via captive portal of fortigate. for every user they create a local account, so the student use these credentials to access the in...
Hello all,please may somebody advice me regarding ASA licensing?I have 2 ASA with base licenses and firepower module and I want to install licenses for Threat protection, URL Filter, Email Spam Protection, malware protection, botnet prevention. I have act...
Customer has shared Win 10 machines, with mutiple users. When user A logs off, and user B logs in, it takes close to ~4 minutes for it to get a new IP address and the corresponding SGT. Native supplicant is used and machine connects directly to the switch...
Hi everyone ,I have a topology there are 2 firewall at my side ASA1 (Internet firewall) and ASA2 (Internal Firewall ) , ASA1 mange by other one . 3rd party wants to make VPN with ASA2 .we have a public ip (205>xx.xx.xx) witch is provide by ASA1 m...
Hi,aaa authorization config-commandsaaa authorization exec default group tacacs+ local aaa authorization commands 0 default group tacacs+ local aaa authorization commands 10 default group tacacs+ local aaa authorization commands 15 default group tacacs+ l...