Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
981
Views
0
Helpful
6
Replies

Asa Ping works but SLA fails

blwegrzyn
Level 1
Level 1

‎03-09-2018 08:08 AM - edited ‎02-21-2020 07:30 AM

I can ping the host that is on the other side of the ipsec tunnel but i cannot monitor it via SLA.

 

PCVST-ASA# ping inside 172.31.56.152
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.31.56.152, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/12/20 ms

 

PCVST-ASA# ping outside 172.31.56.152
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.31.56.152, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

 

 

 

PCVST-ASA# show sla monitor configuration 200
IP SLA Monitor, Infrastructure Engine-II.
Entry number: 200
Owner:
Tag:
Type of operation to perform: echo
Target address: 172.31.56.152
Interface: inside
Number of packets: 3
Request size (ARR data portion): 28
Operation timeout (milliseconds): 5000
Type Of Service parameters: 0x0
Verify data: No
Operation frequency (seconds): 10
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Enhanced History:

PCVST-ASA# show sla monitor ope
PCVST-ASA# show sla monitor operational-state 200
Entry number: 200
Modification time: 10:36:22.530 DST Fri Mar 9 2018
Number of Octets Used by this Entry: 2056
Number of operations attempted: 214
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: TRUE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): NoConnection/Busy/Timeout
Latest operation start time: 11:11:42.532 DST Fri Mar 9 2018
Latest operation return code: Timeout
RTT Values:
RTTAvg: 0 RTTMin: 0 RTTMax: 0
NumOfRTT: 0 RTTSum: 0 RTTSum2: 0

PCVST-ASA#

 

 

Labels:
0 Helpful
6 Replies 6

Mohammed al Baqari
Level 11
Level 11

‎03-09-2018 08:59 AM

Check if the traffic is going through tunnel. Not sure if SLA traffic takes
place before or after encryption.
0 Helpful

blwegrzyn
Level 1
Level 1
In response to Mohammed al Baqari

‎03-09-2018 09:03 AM

it does cause i can ping it and it is a network that is only available via ipsec tunnel.

 

 

0 Helpful

ranilf2005
Level 1
Level 1

‎03-10-2018 03:42 PM

Are you using real devices or emulation/ virtual?

What is connected to the remote end, another FIrewall or router for IPSec?

Ranil Fernando
0 Helpful

blwegrzyn
Level 1
Level 1
In response to ranilf2005

‎03-10-2018 05:38 PM - edited ‎03-10-2018 05:40 PM

Real devices.

I don't think it is relevant what is on the other side of the tunnel as the ping works when executed via terminal session.  It is only failing for the SLA monitor.

0 Helpful

ranilf2005
Level 1
Level 1
In response to blwegrzyn

‎03-11-2018 07:04 PM

I had the same issue when I used emulation software.

Just to let you know my experience.

Ranil Fernando
0 Helpful

Florin Barhala
Level 6
Level 6
In response to blwegrzyn

‎03-12-2018 08:19 AM

If you have the time, I would switch from traditional ASA VPN aka policy mode to VTIs. 

 

Using VTI might solve SLA current issue. Also a TAC ticket should shed more light into this SLA & IPSEC fault. I would also think about using local policy meaning to configure a PBR policy for the ASA generated traffic. IOS does support this, but I never worked with PBR on ASAs.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card