Scribd Logo
Upload

Welcome to Scribd!

  • 121 views

    CISCO ASA - SLA Monitor

    Uploaded by

    jsinghengineer1
    The document discusses how to configure static route tracking on a Cisco ASA firewall to monitor the reachability of static routes. It describes: 1) Using SLA monitoring to continuously ping an IP address and check for timeouts to determine if a route is reachable. 2) Configuring tracking objects to associate SLA monitors with routes and change the active route if pings start failing. 3) Alerting via syslog when the tracked route changes state based on SLA monitoring results.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd

    CISCO ASA - SLA Monitor

    Uploaded by

    jsinghengineer1
    121 views3 pages
    The document discusses how to configure static route tracking on a Cisco ASA firewall to monitor the reachability of static routes. It describes: 1) Using SLA monitoring to continuously ping an IP address and check for timeouts to determine if a route is reachable. 2) Configuring tracking objects to associate SLA monitors with routes and change the active route if pings start failing. 3) Alerting via syslog when the tracked route changes state based on SLA monitoring results.

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document discusses how to configure static route tracking on a Cisco ASA firewall to monitor the reachability of static routes. It describes: 1) Using SLA monitoring to continuously ping an IP address and check for timeouts to determine if a route is reachable. 2) Configuring tracking objects to associate SLA monitors with routes and change the active route if pings start failing. 3) Alerting via syslog when the tracked route changes state based on SLA monitoring results.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    121 views3 pages

    CISCO ASA - SLA Monitor

    Uploaded by

    jsinghengineer1
    The document discusses how to configure static route tracking on a Cisco ASA firewall to monitor the reachability of static routes. It describes: 1) Using SLA monitoring to continuously ping an IP address and check for timeouts to determine if a route is reachable. 2) Configuring tracking objects to associate SLA monitors with routes and change the active route if pings start failing. 3) Alerting via syslog when the tracked route changes state based on SLA monitoring results.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    of 3

    Cisco ASA and SLA Monitoring

    One problem with static routes is that the appliance, by default, has no way of knowing if the path to
    the destination is available unless the interface on the appliance associated with the static route
    were to go down.

    Static route tracking allows an appliance to detect that a configured static route that is currently in
    the routing table is no longer reachable and to use a backup static route that you’ve configured.

    ICMP is used by the appliance to test connectivity for the static route currently in the appliance
    routing table.

    If ICMP echo replies are not received for a preconfigured period from the monitored device
    associated with the current static route, the appliance can then remove the associated static route
    from its routing table, and use a configured backup static route.

    The SLA_ID associates an identification value to the tracking process.

    The type subcommand mode command specifies the protocol to use when performing the test, the
    device to test access to, and the interface the monitored device is connected to. Currently the only
    protocol supported for testing is ICMP (ipIcmpEcho).

    The timeout command specifies the number of milliseconds to wait for the echo reply.

    The frequency command specifies the number of echo replies that must be missed before the
    tracked static route is considered bad.

    The sla monitor schedule command specifies when monitoring should start and for how long.
    Normally you want the tracking to start right now and continue forever, but you can change these
    values.

    The track command associates the SLA_ID for monitoring with the tracking ID specified in the route
    command.
    So the Cisco ASA firewall can do three basic SLA monitoring tasks. They are:

     Continuously ping the specified IP from the ASA.


     Change routes based on IP ping reachability.
     Alert via syslog or SNMP when the SLA monitor fails.

    Continuously ping from the ASA


    Suppose we want the ASA to ping 93.184.216.34 every 3 seconds with a 1000 milliseconds (1
    second) timeout. Here is the configuration for that:

    sla monitor 100


    type echo protocol ipIcmpEcho 93.184.216.34 interface OUTSIDE
    timeout 1000
    frequency 3
    sla monitor schedule 100 life forever start-time now

    In this case our SLA monitor ID is 100 and this will go forever starting now.

    Change routes based on IP ping availability


    Let’s now build on the sla monitor commands above and add route tracking. First we need to make a
    tracking object. We can do that like this:

    track 1 rtr 100 reachability

    This will create a track ID of 1 and track sla monitor 100 for reachability.

    Next we need to add the tracking to a route.

    route OUTSIDE 93.184.216.34 255.255.255.255 95.95.95.95 1 track 1

    Here we are telling the ASA to use this static route ONLY if the sla monitor pings are successful. If the
    monitor starts failing then the route will be removed from the routing table. The 1 track 1 command
    says this route has a weight of 1 and this will be in the routing table if track 1 is up.

    We can set a fall back route for the ASA in the event that the sla monitor is failing. We can simply
    add a static route with a higher metric like so:

    route OUTSIDE 93.184.216.34 255.255.255.255 21.21.21.21 20

    With these two routes in place, the one with a weight of 1 will take precedence. Then when the ping
    fails it will be removed and the route with a weight of 20 will take over.
    Alert via syslog or SNMP when the SLA monitor fails
    When you have sla monitor, track, and a route with a track, syslogs will be created when the track
    changes state. You must have all of these things configured in order to see the syslogs.

    When the track goes down, this is the syslog shown:

    %ASA-6-622001: Removing tracked route 93.184.216.34 255.255.255.255 95.95.95.95, distance 1,


    table default, on interface OUTSIDE

    When the track comes back up this is the syslog shown:

    %ASA-6-622001: Adding tracked route 93.184.216.34 255.255.255.255 95.95.95.95, distance 1, table


    default, on interface OUTSIDE

    Verify the state of the SLA monitor.


    #show sla monitor operational-state
    #show track

    Static Route Tracking Configuration Example

    You might also like