Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

SLA monitoring of remote router's LAN interface over the VPN

Hi,

I have an ASA 5540 firewall running 9.1(1) to which multiple remote sites establish tunnels (Site-2-Site VPN). As an example:

|---(Inside:10.10.10.0/24)---ASA5540-------(Internet)-------RemoteSite----(LAN: 20.20.20.0/24)---|

ASA5540 Inside Intr: 10.10.10.1

ASA5540 Outside Intr: 4.4.4.4

Remote-Site Router Outside Intr: 5.5.5.5

Remote-Site Router LAN Intr: 20.20.20.1

What I want to acheive is monitoring of Remote Site Router's LAN Interface (20.20.20.1) through IP SLA on the firewall.

On the firewall, ping works if I specifiy the Interface as "Inside"

# ping

TCP Ping [n]:

Interface: Inside

Target IP address: 20.20.20.1

Repeat count: [5]

Datagram size: [100]

Timeout in seconds: [2]

Extended commands [n]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.20.20.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/22/30 ms

Direct Ping to the remote address doesn't work from the firewall as it would probably assume Outside inteface as the source.

# ping 20.20.20.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.20.20.1, timeout is 2 seconds:

?????

The SLA Monitoring commands don't allow specifying the source interface for the ICMP echo packets, as a result the tracking fails as well:

track 100 rtr 100 reachability

sla monitor 100

type echo protocol ipIcmpEcho 20.20.20.1 interface Outside     !!! Tried Inside as well, doesn't work

frequency 5

sla monitor schedule 100 life forever start-time now

The tracking object is used to install a static route for the remote network when the object status is UP. The route is then redistributed into OSPF which makes it known in the internal network. The reason for doing this is because I got another ASA firewall to which the remote site will establish a tunnel (multiple peers in the crypto-map entry) when the primary firewall goes down. So I have to advertise the remote network into OSPF on the firewall which got an active tunnel to the remote site. This could also be done by running dynamic routing over the tunnel but I want to use static routing if its doable through it.

Any ideas ?

Thanks,

Rick.

272
Views
0
Helpful
0
Replies