Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA v9 -- IP SLA monitor of remote IP over IPsec VPN

I am trying to work around CSCsx67450 to be able to dynamically add/remove routes of connected IPsec VPN internal networks  which are being advertised to the internal LAN. To do this rather than using reverse route injection, I am trying to use static routes with an SLA ping monitor on the ASA. While I can from the console of the ASA ping the remote network from the management interface when I configure the SLA monitor to use the management interface I receive the following in the logs:

Oct 20 03:17:40 FRK1sslFW3 : %ASA-6-110003: Routing failed to locate next hop for icmp from NP Identity Ifc: to Management:



For reference the management interface on the ASA has the IP and the IP address trying to be monitored by the SLA is

The config has "management-access Management" set on the ASA.


Is it possible using the SLA monitor to monitor a host over an IPSec VPN which is terminated locally on an ASA?


Is anyone aware of a workaround to CSCsx67450 (i.e. advertise only full connected IPSec VPN networks) which allows bi-directional VPN's as I believe the workarounds stated only allow "answer-only" VPNs?






CreatePlease to create content