Solved

cisco asa5505 multiple SLA Monitors?

Posted on 2013-01-16
4
1,174 Views
Last Modified: 2013-04-03
I have several branch locations each with an ASA5505 connected to a cable modem.

The ASA's have a VPN tunnel configure to the main location.

I would like to have several SLA's configured to monitor several different hops for the purpose of emailing me when any monitored hop drops.  There is no alternate route I can use, so if an SLA trips, I will just get an email alert - no other action needs to be taken by the ASA.

For example, if I run a traceroute from Location-A to the main office, I would like to have an SLA on the cable modem (i.e., the ASA's default route IP), hop #3 in the trace (someplace in the ISP network), and finally to the endpoint of the tunnel (Main Location).

Visually:

from the ASA at Location-A

  
  1     3 ms     7 ms     2 ms  192.168.50.1
  2    14 ms    10 ms     9 ms  66.xx.yy.97  <===== monitor #1 - cable modem
  3    10 ms    10 ms     8 ms  209.xx.yy.37
  4     9 ms     9 ms     8 ms  209.xx.yy.114  <==== monitor #2 - somewhere in ISP network
  5    19 ms    14 ms    14 ms  38.xx.yy.137
  6    40 ms   209 ms   215 ms  154.xx.yy.57
  7    17 ms    19 ms    19 ms  154.xx.yy4.177
  8    12 ms    21 ms    18 ms  154.xx.yy.58
  9    24 ms    24 ms    34 ms  38.aa.bb.82   <==== monitor #3 - Main Office ASA public IP

Open in new window


I am confused by how to track the 2nd and 3rd SLA monitor.

e.g.

route outside 0.0.0.0 0.0.0.0 66.xx.yy.97 track 1

sla monitor 10
  type echo .. 66.xx.yy.97
sla monitor schedule 10 life forever....

sla monitor 20
  type echo .. 209.xx.yy.114
sla monitor schedule 20 life forever....

sla monitor 30
  type echo .. 38.aa.bb.82
sla monitor schedule 20 life forever....


track 1 rtr 10 reachability

track 2 rtr 20 reachability

track 3 rtr 30 reachability

logging list log_list message 622001
logging asdm informational
logging mail log_list
logging from-address asa-remote-A@mydomain.com
logging recipient-address me@mydomain.com level debugging
0
Comment
Question by:snowdog_2112
  • 3
4 Comments
 
LVL 1

Expert Comment

by:Xvidalx
ID: 38788978
What you can do is send an email for syslog 622001.
 
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/monitor.html#wp1064823 explains how to send emails for a syslog. Here is a sample
 
logging mail high-priority
logging list sla-list 622001
logging mail sla-list


logging from-address email_address
logging from-address asaxxx@example.com
smtp-server ip_address
0
 

Author Comment

by:snowdog_2112
ID: 38789298
I am already logging the 622001 messages - as shown in OP.

My question then, is do I have to actually have something assigned to the "track [n] rtr [m] reachability", like a "route outside 0.0.0.0 0.0.0.0 xx.yy.zz.aa [n] track [n]"

(where "n" is the metric and the track id).

Thanks.
0
 

Accepted Solution

by:
snowdog_2112 earned 0 total points
ID: 39032198
Not sure if this is correct, but for my purposes it is working.

I am tracking a route in the SLA with a *higher* metric than the default route.

route outside 0.0.0.0 0.0.0.0 <ISP> 1
route outside 0.0.0.0 0.0.0.0 <ISP> 2 track 1
route outside 0.0.0.0 0.0.0.0 <isp> 3 track 2



This way, I get the alert, but since there is no failover ISP connection, the default route is not removed, and I get the alert if any of the upstream hops becomes unreachable.
0
 

Author Closing Comment

by:snowdog_2112
ID: 39043338
See description in post.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now