SLA (Service Level Agreement) Monitoring on ASA

Download

Configuring ASA devices that run version 7.2 or higher to perform route tracking by monitoring service level agreements. By monitoring the connectivity to a device on another network, you can track the availability of a primary route and install a backup route if the primary route fails. For example, you can define a default route to an Internet service provider (ISP) gateway and a backup default route to a secondary ISP in case the primary ISP becomes unavailable. This technique, called Dual ISP, provides security appliances with a form of high availability, which is a vital part of providing customers with the services to which they are entitled.

Static routing algorithms are basically table mappings established by the network administrator before the beginning of routing. These mappings do not change unless the network administrator alters them. Algorithms that use static routes are simple to design and work well in environments where network traffic is relatively predictable and where network design is relatively simple. Because of this fact, static routing systems cannot react to network changes.

Static routes remain in the routing table even if the specified gateway becomes unavailable. If the specified gateway becomes unavailable, you need to remove the static route from the routing table manually. However, static routes are removed from the routing table if the specified interface goes down, and are reinstated when the interface comes back up.

The static route tracking feature provides a method for tracking the availability of a static route and installing a backup route if the primary route should fail. This allows you to, for example, define a default route to an ISP gateway and a backup default route to a secondary ISP in case the primary ISP becomes unavailable.

The ASA does this by associating a static route with a monitoring target that you define. It monitors the target using ICMP echo requests. If an echo reply is not received within a specified time period, the object is considered down and the associated route is removed from the routing table. A previously configured backup route is used in place of the removed route.

When selecting a monitoring target, you need to make sure it can respond to ICMP echo requests.

SLA monitoring jobs start immediately after deployment and continue to run unless you remove the SLA monitor from the device configuration (that is, they do not age out).

Configuration

ASA maintains two connections to the Internet. The first connection is a high speed leased line that is accessed through a router provided by the primary ISP. The second connection is a lower speed Digital Subscriber Line (DSL) that is accessed through a DSL modem provided by the secondary ISP.

The DSL connection is idle as long as the leased line is active and the primary ISP gateway is reachable. However, if the connection to the primary ISP goes down, the ASA changes the routing table in order to direct traffic to the DSL connection. Static route tracking is used in order to achieve this redundancy.

This configuration provides a relatively inexpensive way to ensure that outbound Internet access remains available to users behind the ASA.

Topology

Initial Configuration

static (inside,isp1) 101.1.1.10 192.168.1.100 netmask 255.255.255.255

static (inside,isp2) 102.1.1.10 192.168.1.100 netmask 255.255.255.255

access-list ICMP1 permit icmp host 172.16.1.100 host 101.1.1.10

access-list ICMP2 permit icmp host 172.16.2.100 host 102.1.1.10

access-group ICMP1 in interface isp1

access-group ICMP2 in interface isp2

Route on ASA

route ISP1 0 0 101.1.1.1 track 1

route ISP2 0 0 102.1.1.1 10

SLA Config on ASA

sla monitor 1

type echo protocol IpicmpEcho 172.16.1.1 interface ISP1

timeout 200

frequency 5

exit

exit

sla monitor schedule 1 life forever start-time now

track 1 rtr 1 reachability

Verification

sh route (at initial)

sh route (after failing Primary_ISP)

(Note: SLA is not stateful, it do not provide real time redundancy.)

show running-config sla monitor

(Note: The output of this command displays the SLA commands in the configuration.)

show sla monitor configuration

(Note: The output of this command displays the current configuration settings of the operation.)

show sla monitor operational-state

(Note: The output of this command displays the operational statistics of the SLA operation.

·         Before the primary ISP fails.

·         After the primary ISP fails (and the ICMP echoes time-out))

----
@NetwaxLab