ASA SLA Monitoring Options
Hi,
Does the "Number of packets" option mean that all the packets specified must exceed the threshold, or is it only one that can be missed? The internet connection for the config below is not very reliable and ping responses are regularly dropped. I beleive this could be causing the route to change to the backup connection when not needed.
Thanks
Hello Dustin,
The "number of packets" configuration is the amount of ICMP request packets that are going to go out from the ASA to the target, and these packets are the ones that are going to be inspected or monitored so if they are getting regularly dropped the test is not going to pass and a Failover between the routes will happen.
Please rate helpful posts.
Have a good one
Julio!!!
Similar Messages
-
Best Practice for ASA Route Monitoring Options?
We have one pair Cisco ASA 5505 located in different location and there are two point to point links between those two locations, one for primary link (static route w/ low metric) and the other for backup (static route w/ high metric). The tracked options is enabled for monitoring the state of the primary route. the detail parameters regarding options as below,
Frequency: 30 seconds Data Size: 28 bytes
Threshold: 3000 milliseconds Tos: 0
Time out: 3000 milliseconds Number of Packets: 8
------ show run------
sla monitor 1
type echo protocol ipIcmpEcho 10.200.200.2 interface Intersite_Traffic
num-packets 8
timeout 3000
threshold 3000
frequency 30
sla monitor schedule 1 life forever start-time now
------ show run------
I'm not sure if the setting is so sensitive that the secondary static route begins to work right away, even when some small link flappings occur.
What is the best practice to set those parameters up in the production environment. How can we specify the reasonanble monitoring options to fit our needs.
Thank you for any idea.Hello,
Of course too sensitive might cause failover to happen when some packets get lost, but remember the whole purpose of this is to provide as less downtime to your network as possible,
Now if you tune these parameters what happen is that failover will be triggered on a different time basis.
This is taken from a cisco document ( If you tune the sla process as this states, 3 packets will be sent each 10 seconds, so 3 of them need to fail to SLA to happen) This CISCO configuration example looks good but there are network engineers that would rather to use a lower time-line than that.
sla monitor 123
type echo protocol ipIcmpEcho 10.0.0.1 interface outside
num-packets 3
frequency 10
Regards,
Remember to rate all of the helpful posts ( If you need assistance knowing how to rate a post just let me know ) -
I'm trying to configure an SLA on some of our ASAs and I want to monitor the hostname of a destination rather than the IP address. The CLI gives me an option to enter IP or hostname, but when I try and use a name rather than an IP address I get:
(config-sla-monitor)# type echo protocol ipIcmpEcho ?
sla-monitor mode commands/options:
Hostname or A.B.C.D IP address or hostname
(config-sla-monitor)# type echo protocol ipIcmpEcho google.com
^
ERROR: % Invalid Hostname
(config)# ping google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 173.194.37.128, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/46/50 ms
Any ideas or suggestions? I've tried local hostnames just to make sure it wasn't a resolution issue. Substituting with the IP address works fine. We just have a particluar vendor we depend on that has a propensity to change IP addresses to a cloud app we depend on and not tell us.
If this posts answers your question or is helpful, please consider rating it and/or marking as answered.Hi,
Always used the IP address so I have no previous expirience of configuring with hostname.
The Command Reference is very vague with regards to the definition of the hostname.
Initially I thought that he problem might be that the DNS lookups are not enabled on the ASA so it is not able to determine the IP address itself.
This didnt seem to make a difference.
Then I configured the following
name 1.1.1.1 test
After which it accepted the command with the hostname configured as "test".
So I am guessing the hostname refers to the "name" configurations of the ASA and if that is the case then I would consider it a pretty useless option.
I tried to configure an "object network GOOGLE" that uses "fqdn www.google.com" but it doesnt accept this "object" as the value for the hostname. So I am not really sure if I am missing something with regards to what else could be entered there other than something referenced in the "name" configuration.
On a quick search I could not find anything online in which someone is actually using a hostname instead of the IP address.
Also slightly adding to the confusion is the fact that the Configuration Guide makes no mention of hostname when giving instructions on configuring the target which to monitor for route tracking.
Starting to seem to me that there is no option to use a DNS name as the target for monitoring.
- Jouni -
ASA /Router -SNMP Trap when IP SLA monitored (ICMP timeout)
Hi,
I am looking for some solution for my below requirment
Requirment is :
How do I configure ASA or Router to send SNMP Trap when IP SLA monitored features enabled (ICMP request or 900 millisecond delay from destination IP)
Thanks in advance..Hi,
Maybe this thread might help you?
https://supportforums.cisco.com/thread/2039293
I have not personally configured these type of SLA configurations on an ASA other than for testing purposes. We handle Dual ISP setups outside the ASA firewalls.
- Jouni -
Ip sla monitoring on asa ver 7.0 (6)
how to configure ip sla monitoring on asa ver 7.0 (6) ?
Hello,
In fact was introduced on 7.2.(1)
Components Used
The information in this document is based on these software and hardware versions:
Cisco PIX Security Appliance 515E with software version 7.2(1) or later
Cisco Adaptive Security Device Manager 5.2(1) or later
Related Products
You can also use this configuration with the Cisco ASA 5500 Series Security Appliance version 7.2(1).
Please rate helpful posts,
Julio -
ASA5510 sla monitor does not fail back
I've been down this path before and never got a resolution to this issue.
ASA5510 Security Plus
Primary ISP conn is Comcast cable
Secondary ISP conn is fract T1
I duplicated the SLA code from http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml
When I pull the conn from primary ISP the default route to the secondary comes up
When I reconnect the primary the default route to the secondary does not go away.
I must either reload the ASA or remove/readd the two default outside routes.
Anyone have this same experience and could lend a hand?
Are there any commands I might have in my config that break SLA?
If so I would have hoped either the Configuration Guide or Command Reference for 8.2 would say so, but I don't see any mentioned.
I'm working remotely with my customer so I can't play with this except on off-hours.
ASA running 8.2(2) so as to use AnyConnect Essentials.
Thx,
PhilPls. read and try the workaround.
CSCtc16148 SLA monitor fails to fail back when ip verify reverse is applied
Symptom:
Route Tracking may fail to fail back to the primary link/route when restored.
Conditions:
SLA monitor must configured along with ip verify reverse path on the tracked interface.
Workaround:
1. Remove ip verify reverse path off of the tracked interface
or
2. add a static route to the SLA target out the primary tracked interface.
[Wrap text] [Edit this enclosure]
Release-note: Added 09/23/2009 20:28:24 by kusankar
[Unwrap text] [Edit this enclosure]
Release-note: Added 09/23/2009 20:28:24 by kusankar
[Uwrap text] [Edit this enclosure]
fixed-in-broadview-8.3.1.1_interim-by-cl104097: Added 03/23/2010 11:54:08 by perforce
fixed-in-broadview-8.3.1.1_interim-by-cl104097: Added 03/23/2010 11:54:08 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-broadview-8.3.1.1_interim-by-cl104097&ext=&type=FILE
fixed-in-broadview-8.3.1.1_interim-by-cl104097: Added 03/23/2010 11:54:08 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://
[UnWrap text] [Edit this enclosure]
fixed-in-broadview-8.3.1.1_interim-by-cl104097: Added 03/23/2010 11:54:08 by perforce
[Wrap Text] [Edit this enclosure]
fixed-in-broadview-8.3.1.1_interim-by-cl104097: Added 03/23/2010 11:54:08 by perforce
[Uwrap text] [Edit this enclosure]
fixed-in-broadview-8.3.1_fcs_throttle-by-cl103850: Added 03/22/2010 15:48:05 by perforce
fixed-in-broadview-8.3.1_fcs_throttle-by-cl103850: Added 03/22/2010 15:48:05 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-broadview-8.3.1_fcs_throttle-by-cl103850&ext=&type=FILE
fixed-in-broadview-8.3.1_fcs_throttle-by-cl103850: Added 03/22/2010 15:48:05 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://
[UnWrap text] [Edit this enclosure]
fixed-in-broadview-8.3.1_fcs_throttle-by-cl103850: Added 03/22/2010 15:48:05 by perforce
[Wrap Text] [Edit this enclosure]
fixed-in-broadview-8.3.1_fcs_throttle-by-cl103850: Added 03/22/2010 15:48:05 by perforce
[Uwrap text] [Edit this enclosure]
fixed-in-broadview-bennu-by-cl101314: Added 02/18/2010 19:06:08 by perforce
fixed-in-broadview-bennu-by-cl101314: Added 02/18/2010 19:06:08 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-broadview-bennu-by-cl101314&ext=&type=FILE
fixed-in-broadview-bennu-by-cl101314: Added 02/18/2010 19:06:08 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://
[UnWrap text] [Edit this enclosure]
fixed-in-broadview-bennu-by-cl101314: Added 02/18/2010 19:06:08 by perforce
[Wrap Text] [Edit this enclosure]
fixed-in-broadview-bennu-by-cl101314: Added 02/18/2010 19:06:08 by perforce
[Uwrap text] [Edit this enclosure]
fixed-in-broadview-idfw-by-cl101317: Added 02/18/2010 19:09:07 by perforce
fixed-in-broadview-idfw-by-cl101317: Added 02/18/2010 19:09:07 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-broadview-idfw-by-cl101317&ext=&type=FILE
fixed-in-broadview-idfw-by-cl101317: Added 02/18/2010 19:09:07 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://
[UnWrap text] [Edit this enclosure]
fixed-in-broadview-idfw-by-cl101317: Added 02/18/2010 19:09:07 by perforce
[Wrap Text] [Edit this enclosure]
fixed-in-broadview-idfw-by-cl101317: Added 02/18/2010 19:09:07 by perforce
[Uwrap text] [Edit this enclosure]
fixed-in-broadview-logging-ng-by-cl101311: Added 02/18/2010 19:03:08 by perforce
fixed-in-broadview-logging-ng-by-cl101311: Added 02/18/2010 19:03:08 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-broadview-logging-ng-by-cl101311&ext=&type=FILE
fixed-in-broadview-logging-ng-by-cl101311: Added 02/18/2010 19:03:08 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://
[UnWrap text] [Edit this enclosure]
fixed-in-broadview-logging-ng-by-cl101311: Added 02/18/2010 19:03:08 by perforce
[Wrap Text] [Edit this enclosure]
fixed-in-broadview-logging-ng-by-cl101311: Added 02/18/2010 19:03:08 by perforce
[Uwrap text] [Edit this enclosure]
fixed-in-broadview-main-by-cl101300: Added 02/18/2010 18:27:07 by perforce
fixed-in-broadview-main-by-cl101300: Added 02/18/2010 18:27:07 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-broadview-main-by-cl101300&ext=&type=FILE
fixed-in-broadview-main-by-cl101300: Added 02/18/2010 18:27:07 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://
[UnWrap text] [Edit this enclosure]
fixed-in-broadview-main-by-cl101300: Added 02/18/2010 18:27:07 by perforce
[Wrap Text] [Edit this enclosure]
fixed-in-broadview-main-by-cl101300: Added 02/18/2010 18:27:07 by perforce
[Uwrap text] [Edit this enclosure]
fixed-in-sedona-64bit-by-cl101362: Added 02/19/2010 04:52:24 by perforce
fixed-in-sedona-64bit-by-cl101362: Added 02/19/2010 04:52:24 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-sedona-64bit-by-cl101362&ext=&type=FILE
fixed-in-sedona-64bit-by-cl101362: Added 02/19/2010 04:52:24 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://
[UnWrap text] [Edit this enclosure]
fixed-in-sedona-64bit-by-cl101362: Added 02/19/2010 04:52:24 by perforce
[Wrap Text] [Edit this enclosure]
fixed-in-sedona-64bit-by-cl101362: Added 02/19/2010 04:52:24 by perforce
[Uwrap text] [Edit this enclosure]
fixed-in-sedona-bv64-by-cl101426: Added 02/19/2010 11:42:41 by perforce
fixed-in-sedona-bv64-by-cl101426: Added 02/19/2010 11:42:41 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-sedona-bv64-by-cl101426&ext=&type=FILE
fixed-in-sedona-bv64-by-cl101426: Added 02/19/2010 11:42:41 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://
[UnWrap text] [Edit this enclosure]
fixed-in-sedona-bv64-by-cl101426: Added 02/19/2010 11:42:41 by perforce
[Wrap Text] [Edit this enclosure]
fixed-in-sedona-bv64-by-cl101426: Added 02/19/2010 11:42:41 by perforce
[Uwrap text] [Edit this enclosure]
fixed-in-sedona-main-by-cl101297: Added 02/18/2010 18:24:15 by perforce
fixed-in-sedona-main-by-cl101297: Added 02/18/2010 18:24:15 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-sedona-main-by-cl101297&ext=&type=FILE
fixed-in-sedona-main-by-cl101297: Added 02/18/2010 18:24:15 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://
[UnWrap text] [Edit this enclosure]
fixed-in-sedona-main-by-cl101297: Added 02/18/2010 18:24:15 by perforce
[Wrap Text] [Edit this enclosure]
fixed-in-sedona-main-by-cl101297: Added 02/18/2010 18:24:15 by perforce
[Uwrap text] [Edit this enclosure]
fixed-in-titan-8.2.2_fcs_throttle-by-cl101307: Added 02/18/2010 18:57:08 by perforce
fixed-in-titan-8.2.2_fcs_throttle-by-cl101307: Added 02/18/2010 18:57:08 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-titan-8.2.2_fcs_throttle-by-cl101307&ext=&type=FILE
fixed-in-titan-8.2.2_fcs_throttle-by-cl101307: Added 02/18/2010 18:57:08 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://
[UnWrap text] [Edit this enclosure]
fixed-in-titan-8.2.2_fcs_throttle-by-cl101307: Added 02/18/2010 18:57:08 by perforce
[Wrap Text] [Edit this enclosure]
fixed-in-titan-8.2.2_fcs_throttle-by-cl101307: Added 02/18/2010 18:57:08 by perforce
[Uwrap text] [Edit this enclosure]
fixed-in-titan-bennu-by-cl101294: Added 02/18/2010 18:24:08 by perforce
fixed-in-titan-bennu-by-cl101294: Added 02/18/2010 18:24:08 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-titan-bennu-by-cl101294&ext=&type=FILE
fixed-in-titan-bennu-by-cl101294: Added 02/18/2010 18:24:08 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://
[UnWrap text] [Edit this enclosure]
fixed-in-titan-bennu-by-cl101294: Added 02/18/2010 18:24:08 by perforce
[Wrap Text] [Edit this enclosure]
fixed-in-titan-bennu-by-cl101294: Added 02/18/2010 18:24:08 by perforce
[Uwrap text] [Edit this enclosure]
fixed-in-titan-main-by-cl101282: Added 02/18/2010 16:48:04 by perforce
fixed-in-titan-main-by-cl101282: Added 02/18/2010 16:48:04 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-titan-main-by-cl101282&ext=&type=FILE
fixed-in-titan-main-by-cl101282: Added 02/18/2010 16:48:04 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://
[UnWrap text] [Edit this enclosure]
fixed-in-titan-main-by-cl101282: Added 02/18/2010 16:48:04 by perforce
[Wrap Text] [Edit this enclosure]
fixed-in-titan-main-by-cl101282: Added 02/18/2010 16:48:04 by perforce
[Uwrap text] [Edit this enclosure]
sla-mon-sh-tech: Added 09/23/2009 20:43:52 by kusankar
sla-mon-sh-tech: Added 09/23/2009 20:43:52 by kusankarCan not view this .log file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=sla-mon-sh-tech&ext=log&type=FILE
sla-mon-sh-tech: Added 09/23/2009 20:43:52 by kusankarCan not view this .log file attachment inline, please click on the following link to view the attachment.
http://
[UnWrap text] [Edit this enclosure]
sla-mon-sh-tech: Added 09/23/2009 20:43:52 by kusankar
[Wrap Text] [Edit this enclosure]
sla-mon-sh-tech: Added 09/23/2009 20:43:52 by kusankar
[Uwrap text] [Edit this enclosure]
static-analysis-titan-main: Added 02/18/2010 16:48:07 by perforce
static-analysis-titan-main: Added 02/18/2010 16:48:07 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=static-analysis-titan-main&ext=&type=FILE
static-analysis-titan-main: Added 02/18/2010 16:48:07 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://
[UnWrap text] [Edit this enclosure]
static-analysis-titan-main: Added 02/18/2010 16:48:07 by perforce
[Wrap Text] [Edit this enclosure]
static-analysis-titan-main: Added 02/18/2010 16:48:07 by perforce
-KS -
I have 2 static routes from source to destination on ASA. I want to give preference to first path and the second path will be the backup path. In case if first path will goes down only then the second path will be used. For this I want to enable SLA monitoring. If i will set number of packets=100, Frequency=20 sec, Timeout= 2sec. I want that when all the 100 packets will be dropped only the backup path will be used.
How can i set this requirement?
Regards,
Mukesh Kumar
Network Engineer
Spooster IT ServicesHello Mukesh ,
I understand that you are trying to achieve redundancy using ipsla track feature and at the same time you want some delay ( you said untill 100 packets are dropped ) in installing secondary route in RIB .
Kindly correct me if wrong .
As a simpler solution , I think you can add delay in number of seconds under track statement , that will achieve same thing but in terms of seconds . So lets say if you have threshold to 20 seconds and delay of 60 seconds , in case of failure condition router will wait untill IPSLA is triggered 3 times with consecutive failures ( as per frequency ) .
Anyways , in case you still need IPSLA track feature based on number of packets drop , please see below as per my understanding :
As you say you will set number of packets = 100 , i assume you are using ICMP-jitter based IPSLA and that can report such drops in reaction configuration . you can use "traponly" keyword to have a log generated when configured number of drop threshold is reached ( kindly ensure to have ip sla logging trap configured ) .
Now you can use this log ( threshold exceeded ) as trigger for an EEM script and do whatever changes are needed in configuration ( eg, static route AD manipulation etc ) .
hope to help .
For any further help please let me know .
Regards
Sunil Bhadauria -
ASA SLA Tracking w/ multiple icmp checks
I would like to setup a backup internet connection but I don't want the connection to failover if one IP address or sla monitor is down. I would like at least two to fail before it goes down. The only way I can think of is the config below. Is there an easier way?
route ouside 0.0.0.0 0.0.0.0 <isp1 route> 1 track 1
route ouside 0.0.0.0 0.0.0.0 <isp1 route> 2 track 2
route outside 0.0.0.0 0.0.0.0 <isp2 route> 254
sla monitor 101
type echo protocol ipIcmpEcho 10.0.0.1 interface outside
num-packets 3
frequency 10
sla monitor 102
type echo protocol ipIcmpEcho 10.0.0.2 interface outside
num-packets 3
frequency 10
sla monitor schedule 101 life forever start-time now
sla monitor schedule 102 life forever start-time now
track 1 rtr 101 reachability
track 2 rtr 102 reachabilityHey, I know I am late, but I had found your article earlier today looking for an answer for a very similar issue. The problem I see with your solution is that the second route will overwrite the first line. Your cannot have two routes for the same network and same next-hop in a Cisco ASA. My problem was slightly different than yours, as I have a single ISP behind the ASA, but wanted to using multiple SLA monitors for the default-route so it is in the routing table if any SLA is up. The default is being redistributed into EIGRP.
Her is my solution, I hope this will help someone, someday. It is not nice and short as we would like them, but works perfectly for what I needed. I tried to put enough comments so that you understand some choices I had to make.
WAIT! Did I tell you what follows doesn't look nice? This is for trained professionals only. Make sure you have a deep understanding of IP routing, IP routing protocols and route redistribution before you use this ! Use at your own risks!
OK her it goes...
! Monitoring a single hosts in unsufficient in many production environments.
! Very limited IP SLA tracking in ASA doesn't really allow to monitor multiple hosts at the same time.
! Only one monitor process per track process and no configurable delays for down or up events
! This will show how to create dummy default-routes each bound to a different SLA monitor for distribution into EIGRP, such that a default-route will exist in the routing table if any of the monitored hosts is responding and how to filter redistribution of static routes into EIGRP
! The actual routes the ASA will use are 0.0.0.0/1 and 128.0.0.0/1, but those routes will only be used locally by the ASA, because they are a longer-match than the 0.0.0.0/0
! The most difficult part is preventing the 0.0.0.0/1 routes from getting redistributed in EIGRP along with the 0.0.0.0/0 route.
! The same technique could be applied for RIP or OSPF
! ISP router (default gateway)
name x.x.x.x ISPrtr
! Google DNS
name y.y.y.y SLAtesthost1
! Another host on the Internet
name z.z.z.z SLAtesthost2
! Some unused/invalid hosts in the inside interface's subnet, I always use a /28 or bigger subnets so it was easy to find usused host addresses in the subnet
name a.a.a.a invalid-host1
name a.a.a.b invalid-host2
sla monitor 1
type echo protocol ipIcmpEcho SLAtesthost1 interface outside
threshold 500
frequency 10
packets 3
sla monitor schedule 1 life forever start-time now
sla monitor 2
type echo protocol ipIcmpEcho SLAtesthost2 interface outside
threshold 500
frequency 10
packets 3
sla monitor schedule 2 life forever start-time now
track 1 rtr 1 reachability
track 2 rtr 2 reachability
! Split the default route in two routes, these will be used by the ASA(longer-match) to forward IP packets to the ISP router. It is EXTREMELY IMPORTANT that these two routes are NOT redistributed into any routing protocol if you rely of the default-route elsewhere on your network. The route-map redist-default below will achieve this, and allow only default
route outside 0.0.0.0 128.0.0.0 255.255.255.255 ISPrtr
route outside 128.0.0.0 128.0.0.0 255.255.255.255 ISPrtr
! Create two dummy routes, each bound to its own tracking object/SLA monitor, which won't be used to forward any traffic. They can point to hosts in the inside subnet. We use different and invalid hosts as the next hops (other than the ISP router). First because the same route/same nex-hop cannot coexist in the ASA configuration, secondly because the ISP router's address will be used in a route-map to block the previous 2 routes (split).
route inside 0.0.0.0 0.0.0.0 invalid-host1 track 1
route inside 0.0.0.0 0.0.0.0 invalid-host2 track 2
access-list deny-all-routes permit host 0.0.0.0
access-list default-route permit host 0.0.0.0
access-list ISP-router permit host ISPrtr
! The following route-map will ensure only a dummy default route is redistributed in EIGRP, we must absolutely blocck two split routes (0.0.0.0/1 and 128.0.0.0/1)
! Since ASA does not support extended ACL in route-map for filtering on the mask, the first route-map statement denies any route with the real ISP router as the next-hop
! The same route-map could be used for redistributing into RIPv2 or OSPF
route-map redist-default deny 10
match ip next-hop ISP-router
route-map redist-default permit 20
match ip address default-route
route-map redist-default deny 100
router eigrp 100
no auto-summary
! Block all inbound route in the ASA
distribute-list deny-all-routes in interface inside
! Allow only the default-route to be advertised toward inside peers
distribute-list default-route out interface inside
! Redistribute only the default-route, adjust metrics to your needs
redistribute static metric 10000 100 255 1 1500 route-map redist-default
passive-interface default
no passive-interface inside
network
Thanks,
Marc-André -
I am looking or IOS code for a Cisco 2921/K9 that will allow me to do IP SLA Tracking. The current code "c2900-universalk9-mz.SPA.151-4.M.bin" will only allow me to sset up IP SLA responder or IP SLA Server but NOT IP SLA Monitor or IP SLA RTR.
I have used the Cisco feature set research tool and chose what it recommended but to no avail.
Am I missing something? Will the Server or Responder perform tracking?
Thanks in advance to anyone who can assist..
~gDear All,
I have the same problem with C2921. I want to config IP SLA for my C2921 but it seems do not support. The below for your reference.
####### Do not have option monitor
ip sla ?
key-chain Use MD5 Authentication for IP SLAs Control Messages
responder Enable IP SLAs Responder
server IPPM server configuration
Show version
System image file is "flash0:c2900-universalk9-mz.SPA.151-4.M1.bin"
License Info:
License UDI:
Device# PID SN
*0 CISCO2921/K9 FGL153913PM
Technology Package License Information for Module:'c2900'
Technology Technology-package Technology-package
Current Type Next reboot
ipbase ipbasek9 Permanent ipbasek9
security None None None
uc None None None
data None None None
Please kindly advise what ios I can use for configuring IP SLA. there're any problem with my licence for that
Best Regards,
Binh -
Hi all!
We are using IP SLA to monitor the WAN IP from a client:
ip sla monitor 1
type echo protocol ipIcmpEcho 192.168.251.206 source-interface GigabitEthernet0/1
request-data-size 10
timeout 2000
threshold 4000
frequency 5
ip sla monitor schedule 1 life forever start-time now
track 104 rtr 1 reachability
delay down 8 up 30
When the link is down, traffic is switched to another link. The problem is that when we are doing maintenance with the problem link, any oscillation (up/down) causes the link to be switched back to the link with problem. The only solution we found for this case is to give a shutdown on the interface that is being repaired.
Does anyone know what I can do to prevent traffic is switched to the link that is being repaired?
Appreciate any helpHi Sachin!
I think it would be interesting to increase the monitoring time, if the main link becomes down. You know I can how do this without using load balancing (HSRP, VRRP, GLBP ...)? Because we are monitoring the wan interface of the client, ie, on the other end of the cloud.
Thanks. -
External monitor options For Macbook Pro(2011)
Just curious as to what my monitor options are as a external monitor for the Macbook Pro. I'm pretty much set on 27'' thunderbolt display but its a hefty price to swallow...
Best buy has some good deals on there 27'' monitor but can i get the same resolution and clarity from other brands that will be eqivalent to Apple?
I'd like to stay in the 27'' to 30'' size...
thanksAny other options like Samsung, LG etc... that offer the same specs as the thunderbolt display?
Thanks -
Hello,
I'm not sure how does the SLA monitoring works...
Example:
sla monitor 123
type echo protocol ipIcmpEcho 10.0.0.1 interface outside
num-packets 3
frequency 10!--- Configure a new monitoring process with the ID 123. Specify the
!--- monitoring protocol and the target network object whose availability the tracking
!--- process monitors. Specify the number of packets to be sent with each poll.
!--- Specify the rate at which the monitor process repeats (in seconds).
When does the routing table change the default route?
If the 3 send packets will get 3x timeout response or it's enought that just one of those 3 packets dont respond?
I would like to set up that the routing table (default route) will rebuild after 30 second of timeout the primary default gateway.
Many thanks
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtmlHi Martin,
You are missing the track configuration. Track 1 rtr 123 reachability
And then:
sla monitor schedule 123 life forever start-time now
The track is attached to the SLA, so when you pick one default route to monitor (The one with the lower administrative distance) you add the track command, for example:
route outside 0.0.0.0 0.0.0.0 200.20.20.1 1 track 1
route outside2 0.0.0.0 0.0.0.0 200.30.30.1 254
The firewall will be monitoring the first route and when it fails, it will remove it from the routing table.
If the 3 send packets will get 3x timeout response or it's enought that just one of those 3 packets dont respond?
There is a threshold that can be configured to say how many packets you will expect.
Mike
Mike -
Dear all,
I have a cisco 2911 router that is located in my head office LAN and I use this router to connect to my branch networks. I want to configure IP SLA Monitor on this router to track my WAN Links but it does not support the command IP SLA Monitor. My IOS VERSION is c2900-universalk9-mz.SPA.151-2.T1.bin. Please help tell me how I can configure IP SLA on my router.
Any assistance will be highly appreciated.The Data Technology Package License part number SL-29-DATA-K9 was changed to the AppX Technology Package License that includes DATA and WAAS features with part number SL-29-APP-K9.
SL-29-APP-K9 (AppX License for Cisco 2900 Series) - USD 1,000.00
Please check the Change in Product Part Number Announcement for the Cisco 2900 Series Integrated Services Routers Data Technology Package Licenses link below for your reference(s):
http://www.cisco.com/c/en/us/products/collateral/routers/2900-series-integrated-services-routers-isr/eos-eol-notice-c51-730946.html -
PRO Tip Monitoring option was disabled on SCVMM
Hello,
I have integrated SCVMM 2012 R2 and SCOM 2012 R2 also test the PRO ,the jobs ran successfully.
But i could not able option to enable PRO "Monitor option"(it is disabled) on SCVMM.how to enable this.You must be a member of the Administrator user role to set up and modify the connection to an Operations Manager server
Also check below links
http://blogs.technet.com/b/scvmm/archive/2011/04/14/operations-manager-integration-and-pro-improvements-in-scvmm-2012.aspx
http://blogs.technet.com/b/kevinholman/archive/2012/08/21/integrating-vmm-2012-and-opsmgr-2012.aspx
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
Mai Ali | My blog: Technical | Twitter:
Mai Ali -
Can we develop SLA monitoring tool in abap which will monitor HP service manager?
Hi Experts,
Can we design tool in ABAP or webdynpro where tool will monitor SLA for incidents in HPSM (HP service manager)?
Please let me know if such option is available.
Regards,
SanjanaHi,
I have the same issue. SCOM --> OMU 9.10 works fine, OMU 9.10 --> SCOM doesn't work.
What do you exactky mean with "The user configured for use with the integration pack must have its time zone preferences set to Greenwich/Universal with a date format of mm/dd/yy." Where do you have setup this configuration?
Thanks for help.
Maybe you are looking for
-
What is package structure for Client ABAP Proxy?
1. What is the package structure need to be followed for creating abap client proxy. 2. I read some where in the form, it need to be 4 levels. Why is it? Thank you Ganges Leaves
-
I cannot get xmms player to open. Thru the gui when I click on the icon nothing happens. When I try to run it at the console as my user I get this: [tyler@eLINUXe root]$ xmms %U *** glibc detected *** double free or corruption (out): 0xb6dec5a4 *** A
-
Where can I get a good Mac FTP program?
My question give you points :P Help!?
-
How to make iTunes Match not convert my files ALACs in 256 kbps (VBR)? How to get iTunes convert CDs in Apple loselss? The difference between 256 (VBR) and Apple Losless is very clear...
-
Version 4.3.3 (8J2) not compatible with Bose docking station
I recently update my new ipod touch to version 4.3.3(8J2) and it is no longer compatible with my Bose docking station, no sound coming out from the speakers but able to recharge the battery). How can I go back to plain version 4.3 or get a compatible