Using an SLA echo monitor via an ASA Site-to-Site Tunnel
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
||||||||||
|
Posted by TomBombadil on September 24, 2008, 3:27 pm
Please log in for more thread options I have established a successful site-to-site VPN tunnel between two Cisco ASA 5505's running software version 8.0(3). (The tunnel configuration is quite standard as the tunnel was built using the ADSM VPN Wizard). I have no problem pinging the inside address of either unit from the other (although it is necessary to ping via the inside interface in order to direct it through the tunnel). I would like to be able to use the SLA monitor feature to periodically ping via the tunnel, as: * I would like to have a static routing table entry active (and thus advertised via OSPF) contingent on tracking of the SLA (i.e. present only when the tunnel is actually up). * I would like to leave to tunnel open continuously. A periodic ping is one way to do this. Having successfully used the SLA tracking feature on non-tunneled connections elsewhere, and given that I can manually ping the same address, I was surprised to find that I can't seem to get the SLA monitor to ping through the tunnel correctly. I have tried specifying the inside interface, just as I have in successful pings to the same address (i.e. the inside address of the other ASA). In the following example 192.168.3.2 is the inside interface of the source ASA and 192.168.5.1 is the inside interface of the destination ASA in the attempted SLA. The config lines used on 192.168.3.2 are: sla monitor 1 type echo protocol ipIcmpEcho 192.168.5.1 interface inside num-packets 3 frequency 10 sla monitor schedule 1 life forever start-time now track 1 rtr 1 reachability Checking "show track 1" reports "Reachability is down", having timed- out. The log reveals the following condition: "Routing failed to locate next hop for icmp from NP Identity Ifc: 192.168.3.2/0 to inside:192.168.5.1/0" This despite the fact that a "ping inside 192.168.5.1" from 192.168.3.2 is completely successful. (Likewise a "ping inside 192.168.3.2" from 192.168.5.1 is also completely successful.") I also tried selecting another address at the other end of the tunnel as a destination. The results were the same. Is it at all possible to have an SLA monitor ping across a site-to- site VPN tunnel on an ASA? | ||||||||||
| Similar Threads | Posted |
| Using an SLA echo monitor via an ASA Site-to-Site Tunnel | September 24, 2008, 3:27 pm |
| Voice Port Echo | May 2, 2006, 6:36 pm |
| Call Manager Express Echo | July 4, 2006, 7:52 pm |
| Increase the PPP echo-request(keepalive) retries | June 29, 2005, 5:39 am |
| VoIP + 3650 PoE = Echo + Dropped Calls...etc | November 29, 2006, 4:56 pm |
| Voice Port settings to minimize VOIP Echo | May 18, 2006, 11:46 am |
| rom monitor help | September 9, 2005, 6:03 am |
| Monitor sessions | December 12, 2005, 1:33 pm |
| Monitor Server/PC | March 5, 2006, 11:26 pm |
| Monitor Servers/PC | March 5, 2006, 11:27 pm |
| port monitor | October 7, 2007, 8:17 pm |
| monitor vlan | May 14, 2008, 9:47 pm |
| Monitor CPU and Memory Using SNMP | August 2, 2005, 6:54 am |
| Network Monitor software | September 16, 2005, 11:51 pm |
| Monitor telnet from console. | March 21, 2006, 9:55 am |