03-09-2018 08:08 AM - edited 02-21-2020 07:30 AM
I can ping the host that is on the other side of the ipsec tunnel but i cannot monitor it via SLA.
PCVST-ASA# ping inside 172.31.56.152
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.31.56.152, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/12/20 ms
PCVST-ASA# ping outside 172.31.56.152
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.31.56.152, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
PCVST-ASA# show sla monitor configuration 200
IP SLA Monitor, Infrastructure Engine-II.
Entry number: 200
Owner:
Tag:
Type of operation to perform: echo
Target address: 172.31.56.152
Interface: inside
Number of packets: 3
Request size (ARR data portion): 28
Operation timeout (milliseconds): 5000
Type Of Service parameters: 0x0
Verify data: No
Operation frequency (seconds): 10
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Enhanced History:
PCVST-ASA# show sla monitor ope
PCVST-ASA# show sla monitor operational-state 200
Entry number: 200
Modification time: 10:36:22.530 DST Fri Mar 9 2018
Number of Octets Used by this Entry: 2056
Number of operations attempted: 214
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: TRUE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): NoConnection/Busy/Timeout
Latest operation start time: 11:11:42.532 DST Fri Mar 9 2018
Latest operation return code: Timeout
RTT Values:
RTTAvg: 0 RTTMin: 0 RTTMax: 0
NumOfRTT: 0 RTTSum: 0 RTTSum2: 0
PCVST-ASA#
03-09-2018 08:59 AM
03-09-2018 09:03 AM
it does cause i can ping it and it is a network that is only available via ipsec tunnel.
03-10-2018 03:42 PM
Are you using real devices or emulation/ virtual?
What is connected to the remote end, another FIrewall or router for IPSec?
03-10-2018 05:38 PM - edited 03-10-2018 05:40 PM
Real devices.
I don't think it is relevant what is on the other side of the tunnel as the ping works when executed via terminal session. It is only failing for the SLA monitor.
03-11-2018 07:04 PM
I had the same issue when I used emulation software.
Just to let you know my experience.
03-12-2018 08:19 AM
If you have the time, I would switch from traditional ASA VPN aka policy mode to VTIs.
Using VTI might solve SLA current issue. Also a TAC ticket should shed more light into this SLA & IPSEC fault. I would also think about using local policy meaning to configure a PBR policy for the ASA generated traffic. IOS does support this, but I never worked with PBR on ASAs.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide