Announcement

Collapse
No announcement yet.

Using an SLA Monitor (ipIcmpEcho) via a Site-to-Site VPN Tunnel

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Using an SLA Monitor (ipIcmpEcho) via a Site-to-Site VPN Tunnel

    I have established a successful site-to-site VPN tunnel between two Cisco ASA 5505's running software version 8.0(3). (The tunnel configuration is quite standard as the tunnel was built using the ADSM VPN Wizard) After a few security tweaks, I have no problem pinging the inside address of either unit from the other (although it is necessary to ping via the inside interface in order to direct it through the tunnel).

    I would like to be able to use the SLA monitor feature to ping via the tunnel, as:

    • I would like to have a static routing table entry active (and thus advertised via OSPF) based on tracking of the SLA (i.e. present only when the tunnel is actually up).
    • I would like to leave to tunnel open continuously. A periodic ping is one way to do this.
    Having successfully used the SLA tracking feature on non-tunneled connections elsewhere, and given that I can manually ping the same address, I was surprised to find that I can't seem to get the SLA monitor to ping through the tunnel correctly. I have tried specifying the inside interface, just as I have in successful pings to the same address (i.e. the inside address of the other ASA).


    In the following example 192.168.3.2 is the inside interface of the source ASA and 192.168.5.1 is the inside interface of the destination ASA in the attempted SLA. The config lines used on 192.168.3.2 are:


    sla monitor 1
    type echo protocol ipIcmpEcho 192.168.5.1 interface inside
    num-packets 3
    frequency 10

    sla monitor schedule 1 life forever start-time now
    track 1 rtr 1 reachability

    Checking "show track 1" reports "Reachability is down", having timed-out.

    The log reveals the following condition:

    Routing failed to locate next hop for icmp from NP Identity Ifc:192.168.3.2/0 to inside:192.168.5.1/0

    This despite the fact that a "ping inside 192.168.5.1" from 192.168.3.2 is completely successful. (Likewise a "ping inside 192.168.3.2" from 192.168.5.1 is also completely successful.")

    I also tried selecting another address at the other end of the tunnel as a destination. The results were the same.

    Is it at all possible to have an SLA monitor ping across a site-to-site VPN tunnel on an ASA?
    Last edited by TomBombadil; 24th September 2008, 19:50.

  • #2
    Re: Using an SLA Monitor (ipIcmpEcho) via a Site-to-Site VPN Tunnel

    I also had trouble with IP SLA with 2 1841 routers connected via vpn. Cisco looked at the config and changed my sla config to ping the outside address's instead of the inside address's made it work a lot better.

    Code:
    ip sla monitor 1
     type echo protocol ipIcmpEcho 208.125.243.74 source-ipaddr 208.125.243.66
     timeout 500
     frequency 3
    ip sla monitor schedule 1 life forever start-time now
    
    track 1 rtr 1 reachability

    Comment

    Working...
    X