IP SLA on ASA firewalls

Posted: July 9, 2014 in Cisco Security - Firewalls

ASA configuration commands:

ASA03-5510(config)# sla monitor 20
ASA03-5510(config-sla-monitor)# type echo protocol ipIcmpEcho 8.8.8.8 interface outside
ASA03-5510(config-sla-monitor-echo)# frequency 3
ASA03-5510(config-sla-monitor-echo)# request-data-size 1392
ASA03-5510(config-sla-monitor-echo)# num-packets 3
ASA03-5510(config-sla-monitor-echo)# timeout 1000
ASA03-5510(config)# sla monitor schedule 20 life forever start-time now
ASA03-5510(config)# track 1 rtr 20 reachability
ASA03-5510(config)# route outside 0.0.0.0 0.0.0.0 10.99.99.2 1 track 1
ASA03-5510(config)# route outside-backup 0.0.0.0 0.0.0.0 10.88.99.2 20

 

# sh sla monitor configuration
SA Agent, Infrastructure Engine-II
Entry number: 110
Owner:
Tag:
Type of operation to perform: echo
Target address: 8.8.8.8
Interface: outside
Number of packets: 3
Request size (ARR data portion): 1392
Operation timeout (milliseconds): 1000
Type Of Service parameters: 0x0
Verify data: No
Operation frequency (seconds): 3
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Enhanced History:

# sh sla monitor operational-state
Entry number: 110
Modification time: 06:56:46.879 UTC Tue Aug 5 2014
Number of Octets Used by this Entry: 2056
Number of operations attempted: 22
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: FALSE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): 10
Latest operation start time: 06:57:49.881 UTC Tue Aug 5 2014
Latest operation return code: OK
RTT Values:
RTTAvg: 10      RTTMin: 10      RTTMax: 10
NumOfRTT: 3     RTTSum: 30      RTTSum2: 300

 

ASA2# debug icmp trace
ASA2# debug track
ASA2# un all

 

ASA03-5510# sh ip address
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Ethernet0/0         outside                 10.99.99.1      255.255.255.0   manual
Ethernet0/1          outside-backup  10.88.99.1      255.255.255.0   manual
Ethernet0/2          inside                   1.1.1.10            255.255.255.0   manual

!— shut down main ISP interface
!— Traceroute shows that traffic is going via backup link (outside-backup interface)

ASA03-5510# sh track
Track 1
Response Time Reporter 20 reachability
Reachability is Down
12 changes, last change 00:00:10
Latest operation return code: Timeout
Tracked by:
STATIC-IP-ROUTING 0
ASA03-5510#
ASA03-5510#

ASA03-5510# sh track
Track 1
Response Time Reporter 20 reachability
Reachability is Up
11 changes, last change 00:05:34
Latest operation return code: OK
Latest RTT (millisecs) 1
Tracked by:
STATIC-IP-ROUTING 0

ASA03-5510# sh route

C    1.1.1.0 255.255.255.0 is directly connected, inside
C    10.99.99.0 255.255.255.0 is directly connected, outside
C    10.88.99.0 255.255.255.0 is directly connected, outside-backup
S*   0.0.0.0 0.0.0.0 [20/0] via 10.88.99.2, outside-backup

ASA03-5510# traceroute 10.77.99.3

Type escape sequence to abort.
Tracing the route to 10.77.99.3

10.88.99.2 0 msec 0 msec 0 msec   !– via outside-backup
2  10.77.99.3 0 msec *  0 msec

!– the main ISP interface was brought up.

ASA03-5510# sh track
Track 1
Response Time Reporter 20 reachability
Reachability is Down
12 changes, last change 00:01:23
Latest operation return code: Timeout
Tracked by:
STATIC-IP-ROUTING 0
ASA03-5510#

ASA03-5510# sh track
Track 1
Response Time Reporter 20 reachability
Reachability is Up
13 changes, last change 00:00:02
Latest operation return code: OK
Latest RTT (millisecs) 1
Tracked by:
STATIC-IP-ROUTING 0
ASA03-5510#

!– traceroute show that traffic goes via main ISP now. Route was put in automatically,
ASA03-5510# traceroute 10.77.99.3
Type escape sequence to abort.
Tracing the route to 10.77.99.3

10.99.99.2 0 msec 0 msec 0 msec !— via outside interface
2  10.77.99.3 0 msec *  0 msec

ASA03-5510# sh run route !– only sla related routes are in configuration

route outside 0.0.0.0 0.0.0.0 10.99.99.2 1 track 1
route outside-backup 0.0.0.0 0.0.0.0 10.88.99.2 20

ASA03-5510# sh route

C    1.1.1.0 255.255.255.0 is directly connected, inside
C    10.99.99.0 255.255.255.0 is directly connected, outside
C    10.88.99.0 255.255.255.0 is directly connected, outside-backup
S*   0.0.0.0 0.0.0.0 [1/0] via 10.99.99.2, outside

 

!– SLA related configuration:

ASA Version 8.4(3)
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.99.99.1 255.255.255.0
!
interface Ethernet0/1
nameif outside-backup
security-level 0
ip address 10.88.99.1 255.255.255.0
!
interface Ethernet0/2
nameif inside
security-level 100
ip address 1.1.1.10 255.255.255.0
!

object network inside-host
subnet 1.1.1.0 255.255.255.0

nat (inside,outside) source dynamic inside-host interface
nat (inside,outside-backup) source dynamic inside-host interface
route outside 0.0.0.0 0.0.0.0 10.99.99.2 1 track 1
route outside-backup 0.0.0.0 0.0.0.0 10.88.99.2 20

sla monitor 20
 type echo protocol ipIcmpEcho 8.8.8.8 interface outside
 frequency 5
sla monitor schedule 20 life forever start-time now
!
track 1 rtr 20 reachability

Advertisements
Comments
  1. Allen says:

    Hi, i have a question: Can you pls elaborate the parameters(timeout, frequency, num-packets,more ? Like for num-packets, after how many failed packets does ASA failover to backup? e.g. num-packets: 3 this means all 3 packets need to drop or 1 packet drop is fine for failover? as an example, num packets:3 timeout: 1000msec and frequency:10 sec. , this means ASA will failover after 3 packet drops, and after 10 sec.(frequency) tries again? and for timeout:1000msec. Does ASA wait 1000msec for a response, if it doesn’t receive response in 1000msec. failover occurs ? What’s the relationship between these parameters? How does failover occurs in detail ?

    Thanks in advance,
    Allen

    • Here is short explanation; hope it will make config much clearer.

      frequency 3 = This is the repeat rate for the SLA
      timeout 1000 = This is how long to wait for a response from the ping
      sla monitor schedule 20 life forewer start-time now = This command says “start SLA now and keep it running forever
      sla monitor 20 = The number 20 here is arbitrary, used only to identify this sla. It is otherwise known as the operation number
      icmp-echo 8.8.8.8 = 8.8.8.8 is a DNS server that responds to pings out on the internet via outside interface.
      track 1 rtr 20 reachability = This command creates the track object “1” and monitors the SLA 20
      route outside 0.0.0.0 0.0.0.0 10.99.99.2 1 track 1 = default route, primary route to default gateway of 10.99.99.2
      route outside-backup 0.0.0.0 0.0.0.0 10.88.99.2 20 = this is secondary route, set this route with higher metric then tracked route
      Now, when ping to 8.8.8.8 fails the primary route is removed and the secondary route with the higher metric becomes the default.
      The default, first route will be reinstated when the connectivity is restored.

      • Rio says:

        Maka, I have the same question as Allen. Let me reword it. Does the ASA send 3 packets at once (num-packets 3) and waits up to 1000 msec for each packet for a reply, correct? And if one or two come back within the 1000 msec timeout, the SLA status is still up (track = up). If all three packets never come back within the timeout window, SLA status is down, correct?

        So all three echo requests need to fail for the ASA to consider a failure, right?

  2. Good response in return of this query with firm arguments and describing the whole thing about that.

Leave a Reply to makarijecudotvorac Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s