Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new blog
1221
Views
2
Helpful
0
Comments

Monitoring a Leased Circuit with an ASA

aaron.hackney
Level 1
Level 1
‎03-16-2018 06:48 AM

Working in Network Security for a service provider, we are often asked to monitor connections for which we have no administrative access. Examples of this are leased-line connections like MPLS circuits, but could also be extended to VPN tunnels. This article describes how to use an SLA monitor on a Cisco ASA in combination with syslog messaging to provide a "push" notification that an event has occurred that has caused the SLA monitor to fail or recover.


Topology

In this example, let's presume a simple topology where the ASA has a INSIDE and DMZ segment. There is an MPLS circuit attached to the INSIDE VLAN.


diagram.png

Objectives

  • Configure an SLA monitor that sources from the ASA on the INSIDE interface and ping monitors the host at 192.168.10.45, which is on the remote end of the MPLS circuit

  • Configure a "fake" static route that utilizes the SLA monitor

  • Identify the syslog messages generated by SLA failure or recovery events

Configuration

Refer to the above topology for the following configuration

SLA Monitor

sla monitor 10

type echo protocol ipIcmpEcho 192.168.10.45 interface inside

      num-packets 3

      frequency 10

!

sla monitor schedule 10 life forever start-time now

!

track 1 rtr 10 reachability

Static Routes

Note that we are using APIPA address space (169.254.0.0/16 - RFC 3330)  to avoid creating any static route that could interfere with local or remote networks.

! Bogus route to track ensures syslog message 622001 is generated

route inside 169.254.0.1 255.255.255.255 192.168.10.45 track 1

Syslog Messages

The syslog server will need to filter on the following syslog messages. A syslog collector such as Kiwi or a more sophisticated system like Zenoss or Splunk can filter on these messages and trigger actions such as sending emails, sending text messages, or generating tickets, etc. In addition to the syslog collector, one could also configure an EEM action on the ASA responding to these syslog messages/events. The configuration provided will generate syslog message 622001 for both the failure and recovery events.


Syslog Messages Host DOWN

Mar 15 2018 17:46:08 FW-ASA : %ASA-6-622001: Removing tracked route 169.254.0.1 255.255.255.255 192.168.10.45, distance 1, table Default-IP-Routing-Table, on interface inside


Syslog Messages Host UP

Mar 15 2018 17:43:33 FW-ASA : %ASA-6-622001: Adding tracked route 169.254.0.1 255.255.255.255 192.168.10.45, distance 1, table Default-IP-Routing-Table, on interface inside


Summary

While this kind of configuration is not what SLA monitors were designed for, we can leverage this functionality and a bogus static route to create a syslog event for which we can push reachability changes. This is often useful when dealing with a 3rd party provider to which we have no access to the leased line provider's monitoring tools or telemetry, or where traditional monitoring methods like SNMP are not available.

One could set up a number of the monitors for multiple circuits and associate the static route APIPA address with each leased line and then, using the syslog filtering action features, create custom alerts that could contain the circuit ID, common name, contact phone numbers, and other useful information.

Labels:
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Popular Articles
Customers Also Viewed These Support Documents