Using an SLA echo monitor via an ASA Site-to-Site Tunnel

Discussion in 'Cisco' started by TomBombadil, Sep 24, 2008.

  1. TomBombadil

    TomBombadil Guest

    I have established a successful site-to-site VPN tunnel between two
    Cisco ASA 5505's running software version 8.0(3). (The tunnel
    configuration is quite standard as the tunnel was built using the ADSM
    VPN Wizard). I have no problem pinging the inside address of either
    unit from the other (although it is necessary to ping via the inside
    interface in order to direct it through the tunnel).

    I would like to be able to use the SLA monitor feature to periodically
    ping via the tunnel, as:

    * I would like to have a static routing table entry active (and thus
    advertised via OSPF) contingent on tracking of the SLA (i.e. present
    only when the tunnel is actually up).
    * I would like to leave to tunnel open continuously. A periodic ping
    is one way to do this.
    Having successfully used the SLA tracking feature on non-tunneled
    connections elsewhere, and given that I can manually ping the same
    address, I was surprised to find that I can't seem to get the SLA
    monitor to ping through the tunnel correctly. I have tried specifying
    the inside interface, just as I have in successful pings to the same
    address (i.e. the inside address of the other ASA).

    In the following example 192.168.3.2 is the inside interface of the
    source ASA and 192.168.5.1 is the inside interface of the destination
    ASA in the attempted SLA. The config lines used on 192.168.3.2 are:

    sla monitor 1
    type echo protocol ipIcmpEcho 192.168.5.1 interface inside
    num-packets 3
    frequency 10

    sla monitor schedule 1 life forever start-time now
    track 1 rtr 1 reachability

    Checking "show track 1" reports "Reachability is down", having timed-
    out.

    The log reveals the following condition:
    "Routing failed to locate next hop for icmp from NP Identity Ifc:
    192.168.3.2/0 to inside:192.168.5.1/0"

    This despite the fact that a "ping inside 192.168.5.1" from
    192.168.3.2 is completely successful. (Likewise a "ping inside
    192.168.3.2" from 192.168.5.1 is also completely successful.")

    I also tried selecting another address at the other end of the tunnel
    as a destination. The results were the same.

    Is it at all possible to have an SLA monitor ping across a site-to-
    site VPN tunnel on an ASA?
    TomBombadil, Sep 24, 2008
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. a.nonny mouse
    Replies:
    2
    Views:
    1,090
  2. craig judd

    echo echo echo

    craig judd, Sep 23, 2003, in forum: Computer Support
    Replies:
    1
    Views:
    519
    Miggsee
    Sep 23, 2003
  3. Trouble
    Replies:
    0
    Views:
    610
    Trouble
    Aug 4, 2006
  4. Trouble
    Replies:
    1
    Views:
    536
  5. ttripp
    Replies:
    4
    Views:
    7,823
    jlodwick
    Oct 23, 2009
Loading...

Share This Page