Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
332
Views
0
Helpful
2
Replies

Asa sla packet drop

cisco8887
Level 2
Level 2

‎10-08-2015 11:18 PM

hi

 

i am trying to keep a vpn tunnel up and avoid timout using ip sla

 

i have configured it so it pings a specific destination on remote subnet which is a private ip of remote subnet

 

This is setup so it pings from inside asa interface to the remote private subnet

 

this however does not work and when doing icmp trace i cannot see any packet flows. Is it because it has to pass from inside to outside and that is blocked by asas?

 

i mean inside interface needing to pass a packet to outside interface?

 

this works when i issue a ping inside "remote subnet" but not using ip sla

 

i cannot see the crypto packet encryption or decryption count increasing

Labels:
0 Helpful
2 Replies 2

cisco8887
Level 2
Level 2

‎10-09-2015 01:14 AM

or to better describe the sitatution look at below

 

One of our customers has multiple remote sites connected in a full mesh of Site-to-Site VPN tunnels on their ASA 5505s. For the purpose of this issue, we only care about one tunnel.

Each site has Avaya IP phones. The issue we have is that after a period of 24+ hours, the tunnel becomes "stale", and the IP phones cannot call users at other remote sites. If we manually log into the ASA and ping across the tunnel, it comes back up and the phones work great. We messed with the timeout and keepalive settings on the tunnel and it did not change anything.

So, an easy fix in my mind is to set up an SLA on each ASA to ping its peer across the tunnel every so often. We have this configured (see here) but it is not working. I enabled sla and track debug on the ASA doing the SLA and got no output. I have ICMP debug running on the peer ASA and I get no output from there either (I have terminal monitor on both as well).

It seems like the SLA just isn't turned on. However if I do a show sla monitor operational state, it says "Number of operations attempted: 90, Number of operations skipped: 89". Tried googling this and couldn't find anything.

I'm kind of at a loss here, so any help would be appreciated. Let me know if you need any further config, show, or debug output. Thanks!

0 Helpful

cisco8887
Level 2
Level 2
In response to cisco8887

‎10-13-2015 08:03 AM

any ones of the network experts?

0 Helpful
Customers Also Viewed These Support Documents