Solved

cisco asa5505 multiple SLA Monitors?

Posted on 2013-01-16
4
1,208 Views
Last Modified: 2013-04-03
I have several branch locations each with an ASA5505 connected to a cable modem.

The ASA's have a VPN tunnel configure to the main location.

I would like to have several SLA's configured to monitor several different hops for the purpose of emailing me when any monitored hop drops.  There is no alternate route I can use, so if an SLA trips, I will just get an email alert - no other action needs to be taken by the ASA.

For example, if I run a traceroute from Location-A to the main office, I would like to have an SLA on the cable modem (i.e., the ASA's default route IP), hop #3 in the trace (someplace in the ISP network), and finally to the endpoint of the tunnel (Main Location).

Visually:

from the ASA at Location-A

  
  1     3 ms     7 ms     2 ms  192.168.50.1
  2    14 ms    10 ms     9 ms  66.xx.yy.97  <===== monitor #1 - cable modem
  3    10 ms    10 ms     8 ms  209.xx.yy.37
  4     9 ms     9 ms     8 ms  209.xx.yy.114  <==== monitor #2 - somewhere in ISP network
  5    19 ms    14 ms    14 ms  38.xx.yy.137
  6    40 ms   209 ms   215 ms  154.xx.yy.57
  7    17 ms    19 ms    19 ms  154.xx.yy4.177
  8    12 ms    21 ms    18 ms  154.xx.yy.58
  9    24 ms    24 ms    34 ms  38.aa.bb.82   <==== monitor #3 - Main Office ASA public IP

Open in new window


I am confused by how to track the 2nd and 3rd SLA monitor.

e.g.

route outside 0.0.0.0 0.0.0.0 66.xx.yy.97 track 1

sla monitor 10
  type echo .. 66.xx.yy.97
sla monitor schedule 10 life forever....

sla monitor 20
  type echo .. 209.xx.yy.114
sla monitor schedule 20 life forever....

sla monitor 30
  type echo .. 38.aa.bb.82
sla monitor schedule 20 life forever....


track 1 rtr 10 reachability

track 2 rtr 20 reachability

track 3 rtr 30 reachability

logging list log_list message 622001
logging asdm informational
logging mail log_list
logging from-address asa-remote-A@mydomain.com
logging recipient-address me@mydomain.com level debugging
0
Comment
Question by:snowdog_2112
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 1

Expert Comment

by:Xvidalx
ID: 38788978
What you can do is send an email for syslog 622001.
 
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/monitor.html#wp1064823 explains how to send emails for a syslog. Here is a sample
 
logging mail high-priority
logging list sla-list 622001
logging mail sla-list


logging from-address email_address
logging from-address asaxxx@example.com
smtp-server ip_address
0
 

Author Comment

by:snowdog_2112
ID: 38789298
I am already logging the 622001 messages - as shown in OP.

My question then, is do I have to actually have something assigned to the "track [n] rtr [m] reachability", like a "route outside 0.0.0.0 0.0.0.0 xx.yy.zz.aa [n] track [n]"

(where "n" is the metric and the track id).

Thanks.
0
 

Accepted Solution

by:
snowdog_2112 earned 0 total points
ID: 39032198
Not sure if this is correct, but for my purposes it is working.

I am tracking a route in the SLA with a *higher* metric than the default route.

route outside 0.0.0.0 0.0.0.0 <ISP> 1
route outside 0.0.0.0 0.0.0.0 <ISP> 2 track 1
route outside 0.0.0.0 0.0.0.0 <isp> 3 track 2



This way, I get the alert, but since there is no failover ISP connection, the default route is not removed, and I get the alert if any of the upstream hops becomes unreachable.
0
 

Author Closing Comment

by:snowdog_2112
ID: 39043338
See description in post.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question