I am trying to understand SLA tracking "timers and time-outs" but unfortunately not feeling comfortable/confident with my understanding. Need some help!
sla monitor 123
type echo protocol ipIcmpEcho 192.168.1.2 interface INSIDE
sla monitor schedule 123 life forever start-time now
track 1 rtr 123 reachability
route INSIDE 0.0.0.0 0.0.0.0 192.168.1.2 track 1
route INSIDE 0.0.0.0 0.0.0.0 192.168.1.1 254
192.168.1.2 is firewall's static default gateway which if down, should be changed to 192.168.1.1. Firewall should consider the primary gateway (192.168.1.2) down if it doesn't respond to ping till 6 minutes. Probe routine shouldn't be very chatty, therefore probe routine should start new probe after 2 minutes - in other words, last state of tracked object will remain as it is till 2 minutes.Have i used above commands correctly?
When 192.168.1.2 (primary default gateway) comes up again, i want to check its stability before any change in routing decision. Can I check if primary gateway (192.168.1.2) is now stable that is responded successfully till 6 minutes, now is the time to revert back the default route from backup gateway (192.168.1.1) to primary gateway (192.168.1.2)?
You will send 3 packets each 120 seconds, and for SLA to be triggered you will need to missed those out for those to be missed the ASA will expect a reply for 120000 seconds. I mean you know what I am saying hehe
If we switchover after the 120000 mseconds,we are still going to be sending probes to the primary and as long as we receive 3 replies from those ICMP echo request send each 120 seconds the Primary route will preempt the secondary.
1- Timeout value is configured in millisecond therefore in my commands timeout value is actually 2 minutes.
2- To decide about a tracked object as active, SLA needs just one ICMP echo to be responded successfully.
For example: SLA started at 00:00:00 and 1st ICMP echo was sent at same time then ASA will set this packet's timeout to 2 minutes which means that ASA will wait for response till 120000ms before sending the next ICMP echo. Now, either reply will come (if primary gateway is up) or will not come in which case ASA will have to decide at 00:02:00 that this ICMP echo request is timed out.
If primary default gateway was up and reply of 1st ICMP echo request came successfully within the configured timeout, say at 00:00:02; tracked object is considered as active. SLA process will be set to start after 2 minutes that is at 00:02:02 as defined in frequency (120 seconds).
But if primary default gateway was down and reply of 1st ICMP echo request didnt come within the configured timeout, say till 00:02:00; SLA process will send 2nd ICMP echo request at 00:02:01 and will wait till 00:04:01. If 2nd request is also not responded, ASA will consider 2nd ICMP echo request is timed out at 00:04:01 and will send 3rd and last (num-packet 3) ICMP echo request at 00:04:02 and will wait for next 120000 ms that is till 00:06:02. If 3rd ICMP echo was also not responded within the configured timeout value; tracked object will be marked as inactive or down at 00:06:02.
Routing decisions will be made on the basis of recent object status. Primary route will be removed from routing table and backup route will be active. SLA process will start again after 2 minutes that is at 00:08:02 as defined in frequency (120 seconds). The same process will be followed as started at 00:00:00.
Correct me if I'm wrong!
For example: SLA which is now started at 00:08:02, sent an ICMP echo request and got the reply successfully within the configured timeout value - say at 00:08:04, tracked object will be immediately marked as active and in result primary default gateway will become active in routing table. This is what i want to avoid. I want SLA to check for 6 minutes that primary path is stable and active and only then change the routing table which i dont know how will it happen.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...