cisco ASA - sla/track stays UP even if ping fails
Cisco ASA 5505, 8.2
Dual ISP
I have an sla monitor configured on the backup ISP interface, configured to ping the first pingable IP in a traceroute from that interface. (Note: I don't use the default gateway on this interface because it is also inside the building and is therefore does not indicate if the ISP is down - I can ping the cable modem even if the cable is down)
If I configure a /32 route to my sla test using the 2nd ISP link gateway, I can ping the IP using the ISP#2 interface. If I remove the /32 route, the ISP#2 interface *cannot* ping the IP.
The sla monitor never fails and the track always shows as UP - even if I can't ping the IP.
sla monitor 2
type echo protocol ipicmp 1.2.3.4 interface isp2
num-packets 3
timeout 3000
frequency 10
sla monitor schedule 2 lifetime forever start now
track 2 rtr 2 reachability
route isp1 0.0.0.0 0.0.0.0 <isp1-gateway> 1 track 1
route isp2 0.0.0.0 0.0.0.0 <isp2-gateway> 2 track 2
route isp2 1.2.3.4 255.255.255.255 <isp2-gateway>
With the /32 route to 1.2.3.4 in place:
ping isp2 1.2.3.4 <-- WORKS
ping isp1 1.2.3.4 <-- FAILS
remove /32 route to 1.2.3.4:
ping isp2 1.2.3.4 <-- FAILS
ping isp1 1.2.3.4 <-- WORKS
Dual ISP
I have an sla monitor configured on the backup ISP interface, configured to ping the first pingable IP in a traceroute from that interface. (Note: I don't use the default gateway on this interface because it is also inside the building and is therefore does not indicate if the ISP is down - I can ping the cable modem even if the cable is down)
If I configure a /32 route to my sla test using the 2nd ISP link gateway, I can ping the IP using the ISP#2 interface. If I remove the /32 route, the ISP#2 interface *cannot* ping the IP.
The sla monitor never fails and the track always shows as UP - even if I can't ping the IP.
sla monitor 2
type echo protocol ipicmp 1.2.3.4 interface isp2
num-packets 3
timeout 3000
frequency 10
sla monitor schedule 2 lifetime forever start now
track 2 rtr 2 reachability
route isp1 0.0.0.0 0.0.0.0 <isp1-gateway> 1 track 1
route isp2 0.0.0.0 0.0.0.0 <isp2-gateway> 2 track 2
route isp2 1.2.3.4 255.255.255.255 <isp2-gateway>
With the /32 route to 1.2.3.4 in place:
ping isp2 1.2.3.4 <-- WORKS
ping isp1 1.2.3.4 <-- FAILS
remove /32 route to 1.2.3.4:
ping isp2 1.2.3.4 <-- FAILS
ping isp1 1.2.3.4 <-- WORKS
Run this commands
show run sla monitor
show ip route track-table
show ip sla statistics
show track
I hope the SLA is not tracking the local interface.
Also check the repeat frequency
show run sla monitor
show ip route track-table
show ip sla statistics
show track
I hope the SLA is not tracking the local interface.
Also check the repeat frequency
ASKER
As mentioned in OP, the IP in the SLA is *stops pinging*, but the track still shows as UP.
Again, as mentioned in the OP, I have to add a /32 route on ISP#2 to the SLA IP address (which is beyond the ISP#2 gateway). With the /32 route in place, I can "ping isp2 <sla-IP>". If I remove the /32 route, "ping isp2 <sla-ip>" *FAILS*, but the track and SLA both still show as UP.
This is an ASA - there is no "ip route track-table" or "ip sla stat" command.
Again, as mentioned in the OP, I have to add a /32 route on ISP#2 to the SLA IP address (which is beyond the ISP#2 gateway). With the /32 route in place, I can "ping isp2 <sla-IP>". If I remove the /32 route, "ping isp2 <sla-ip>" *FAILS*, but the track and SLA both still show as UP.
This is an ASA - there is no "ip route track-table" or "ip sla stat" command.
show sla monitor configuration
show sla monitor operational-state
show sla monitor operational-state
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I can't replicate the issue at the moment, so I am unable to provide additional details.
ASKER
In the case where the /32 route is *removed*, isp2 CANNOT ping 1.2.3.4, but the sla monitor/track *which uses isp2* shows as OK and UP.
How can the sla be OK when a ping fails?