×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

IP SLA Detail Question on ASA 9.0

Unanswered Question
Feb 25th, 2014
User Badges:

Hello:


I have an ASA 5525 connected to an ISP. I've configured a static default route, and tracking the ISP gateway with IP SLA, and using the IP SLA default tracking metrics:


route outside 0.0.0.0 0.0.0.0 192.168.0.2 1 track 1

sla monitor 1

type echo protocol ipIcmpEcho 192.168.0.2 interface outside

sla monitor schedule 1 life forever start-time now           

track 1 rtr 1 reachability


If I do an 'show ip sla monitor configuration', we get some details:


asa1-5525#  sho sla monitor configuration

SA Agent, Infrastructure Engine-II

Entry number: 1

Owner:

Tag:

Type of operation to perform: echo

Target address: 192.168.0.2

Interface: outside

Number of packets: 1

Request size (ARR data portion): 28

Operation timeout (milliseconds): 5000

Type Of Service parameters: 0x0

Verify data: No

Operation frequency (seconds): 60

Next Scheduled Start Time: Start Time already passed

Group Scheduled : FALSE

Life (seconds): Forever

Entry Ageout (seconds): never

Recurring (Starting Everyday): FALSE

Status of entry (SNMP RowStatus): Active

Enhanced History:


So far, so good. Well... not really. I have several complaints that the default route drops frequently. I've confirmed with the ISP that the circuit is healthy, albeit a bit congested at times. My theory is that the SLA traffic is getting dropped during the times of congestion, resulting in the drop of the defaut route. I've pretty much confirmed this with the 'show track' output:


asa1-5525#  sho track

Track 1

  Response Time Reporter 1 reachability

  Reachability is Up

  281 changes, last change 1d01h

  Latest operation return code: OK

  Latest RTT (millisecs) 1

  Tracked by:

    STATIC-IP-ROUTING 0


So, let's get back to the IP SLA metrics. If I'm reading the output correctly, I'm sending one ping every 60 seconds. That said, this is my question: does this mean that if I don't receive back that single ping, the route gets dropped?! From a single packet loss? If that's true, that is clearly unacceptable. What I would like to know is how to setup IP SLA where I 'send 3 pings over 30 seconds, and if I get back an echo response from at least one of those pings, I keep the default route active.' Is there a way to configure this?


Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jouni Forss Tue, 02/25/2014 - 23:48
User Badges:
  • Super Bronze, 10000 points or more

Hi,


I have personally only used IP SLA on Routers and on the ASA only for testing purposes here on the CSC so I have not really had to do that much modification in the settings


You might however want to change the "num-packets" setting and perhaps change the "timeout" setting though that by default is already 5000ms


You would be entering these values when  you enter the following command


type echo protocol ipIcmpEcho 192.168.0.2 interface outside


You will be entered into a new configuration mode where you can use the "?" to check your options on what values to use. But the main thing you probably want to test out is change the "num-packets" value to something higher than the default value of 1


Here is links to Command Reference for the "num-packets" and "timeout" commands


num-packets

http://www.cisco.com/c/en/us/td/docs/security/asa/command-reference/cmdref/n.html#pgfId-1815481


timeout

http://www.cisco.com/c/en/us/td/docs/security/asa/command-reference/cmdref/t1.html#pgfId-1569025


- Jouni

s-daly Wed, 02/26/2014 - 10:59
User Badges:

Jouni, thanks for the recommendation. That said, like the documentation, this somewhat avoids directly answering my question. Let me ask this way: if I increased the "num-packets" to 6, how many of those packets need to sucessfully reply in order to maintain the route in the routing table? All of them? One of them? 3 of them? This information, for some reason, seems allusive.

jjcontrer Fri, 07/04/2014 - 19:09
User Badges:

Did you ever solve this issue? I have similar problems with my ASA and my ISP.

s-daly Wed, 07/09/2014 - 13:08
User Badges:

I have yet to get a specific answer.

Actions

This Discussion

Related Content