The Cisco ASA firewall can do three basic SLA monitoring tasks. They are:
- Continuously ping from the ASA even when nobody is logged in
- Change routes based on IP ping reachability
- Alert via syslog or SNMP when the SLA monitor fails
Unfortunately the ASA only has the ability to ping for its sla monitoring and is pretty limited in its capabilities.
Continuously ping from the ASA
Suppose for some reason you wish to have the ASA send a constant ping to something. This could be helpful to keep a tunnel alive, or send constant ping for some reason. This is actually required when making a VPN tunnel to Amazon AWS.
Suppose we want the ASA to ping
3 seconds with a
1000 milliseconds (1 second) timeout. Here is the config for that:
In this case our SLA monitor ID is
100 and this will go forever starting now. There are some other options here to only have this go for a limited amount of pings or start at a different time.
Change routes based on IP ping availability
Let’s now build on the
sla monitor commands above and add route tracking. First we need to make a tracking object. We can do that like this:
This will create a track ID of
1 and track sla monitor
100 for reachability.
Next we need to add the tracking to a route.
Here we are telling the ASA to use this static route ONLY if the sla monitor pings are successful. If the monitor starts failing then the route will be removed from the routing table. The
1 track 1 command says this route has a weight of
1 and this will be in the routing table if
track 1 is up.
We can set a fallback route for the ASA in the event that the sla monitor is failing. We can simply add a static route with a higher metric like so:
With these two routes in place, the one with a weight of
1 will take precedence. Then when the ping fails it will be removed and the route with a weight of
20 will take over.
Alert via syslog or SNMP when the SLA monitor fails
When you have
track, and a
route with a track, syslogs will be created when the track changes state. You must have all of these things configured in order to see the syslogs.
When the track goes down, this is the syslog shown:
When the track comes back up this is the syslog shown:
Turn the syslogs into SNMP traps
You can turn the syslog into an SNMP trap by doing the following config:
You’ll see the following trap when the track fails.
E:188.8.131.52.184.108.40.206.0 is hex encoded. Using a hex to ascii converter it then looks like this:
<166>%ASA-6-622001: Removing tracked route 220.127.116.11 255.255.255.255 18.104.22.168, distance 1, table default, on interface OUTSIDE
The following commands will show the state of the SLA monitor.
show sla monitor operational-state