Static route tracking (a.k.a SLA monitoring) is a simple method that the Cisco ASA uses to track the availability of a static route. It allows the Cisco ASA to remove static routes from its routing table if it thinks that the routes are not available.
The Cisco ASA monitors the “reachability” of an IP address (usually a router or server in a remote network, reachable via the static route). The ASA periodically pings that monitored IP address in order to see if can reach it. If the ASA gets a ping reply, it assumes that the static route is available. If it does not receive a reply from the monitored host (within the configured parameters), it assumes that the host is “unreachable”, and removes the associated static route(s) from its routing table.
In my previous post, I explained how to use SLA monitoring to set up redundant ISPs on a Cisco ASA.
These are the basic steps:
- Configure an SLA monitor process. Give it an ID number and tell it what IP address to ping.
- Configure one or more static routes and assign them a tracking ID.
- Associate the SLA monitor process in Step 1 with the tracking ID in Step 2.
Here are some more commands to verify and debug SLA monitoring. For reference, the diagram below is the high-level topology of my test lab which I used in my previous post, and is referenced in the commands below:
The show route command shows the routing table on the ASA. This includes any learned routes and directly connected routes.
ciscoasa# sh ro Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is 188.8.131.52 to network 0.0.0.0 C 184.108.40.206 255.255.255.0 is directly connected, outside C 220.127.116.11 255.255.255.0 is directly connected, redundantisp C 127.0.0.0 255.255.0.0 is directly connected, cplane S* 0.0.0.0 0.0.0.0 [2/0] via 18.104.22.168, redundantisp
The show run route command shows the routes that are configured in the running config on the ASA.
ciscoasa# sh ru ro route outside 0.0.0.0 0.0.0.0 22.214.171.124 1 track 1 route outside 126.96.36.199 255.255.255.0 188.8.131.52 1 track 1 route redundantisp 0.0.0.0 0.0.0.0 184.108.40.206 2
The show run sla monitor command shows you the SLA monitor-related configuration that is already in the running config. You can restrict the output to a specific SLA process by specifying a process ID.
ciscoasa# sh ru sla monitor sla monitor 55 type echo protocol ipIcmpEcho 220.127.116.11 interface outside timeout 1000 frequency 3 sla monitor schedule 55 life forever start-time now
The show track command shows you info about the objects that are being tracked by tracking processes. If a track ID is not specified, then the output shows all tracked objects.
ciscoasa# sh track Track 1 Response Time Reporter 55 reachability Reachability is Down 1 change, last change 00:01:05 Latest operation return code: Timeout Tracked by: STATIC-IP-ROUTING 0
The show sla monitor configuration command shows more details about the SLA configuration than the show run sla monitor command.
ciscoasa# sh sla mon c SA Agent, Infrastructure Engine-II Entry number: 55 Owner: Tag: Type of operation to perform: echo Target address: 18.104.22.168 Interface: outside Number of packets: 1 Request size (ARR data portion): 28 Operation timeout (milliseconds): 1000 Type Of Service parameters: 0x0 Verify data: No Operation frequency (seconds): 3 Next Scheduled Start Time: Start Time already passed Group Scheduled : FALSE Life (seconds): Forever Entry Ageout (seconds): never Recurring (Starting Everyday): FALSE Status of entry (SNMP RowStatus): Active Enhanced History:
The show sla monitor operational-state command shows the state of the SLA operations.
ciscoasa# sh sla mon o Entry number: 55 Modification time: 00:00:57.402 UTC Wed Jan 1 2003 Number of Octets Used by this Entry: 1480 Number of operations attempted: 287 Number of operations skipped: 0 Current seconds left in Life: Forever Operational state of entry: Active Last time this entry was reset: Never Connection loss occurred: FALSE Timeout occurred: TRUE Over thresholds occurred: FALSE Latest RTT (milliseconds): NoConnection/Busy/Timeout Latest operation start time: 00:15:12.403 UTC Wed Jan 1 2003 Latest operation return code: Timeout RTT Values: RTTAvg: 0 RTTMin: 0 RTTMax: 0 NumOfRTT: 0 RTTSum: 0 RTTSum2: 0
The debug sla monitor command shows debugging messages for SLA. By default, both trace and error messages are shown, but you can restrict the output to just the trace or error messages. If you specify a SLA process ID, the ASA will only cough up the debug messages for that process ID. In the output below, you can see that the monitored IP address is not responding. To disable the debugging, use the no debug sla monitor command.
ciscoasa# debug sla monitor trace IP SLA Monitor TRACE debugging for all operations is on ciscoasa# IP SLA Monitor(55) Scheduler: Starting an operation IP SLA Monitor(55) echo operation: Sending an echo operation IP SLA Monitor(55) echo operation: Timeout IP SLA Monitor(55) Scheduler: Updating result IP SLA Monitor(55) Scheduler: Starting an operation IP SLA Monitor(55) echo operation: Sending an echo operation IP SLA Monitor(55) echo operation: Timeout IP SLA Monitor(55) Scheduler: Updating result IP SLA Monitor(55) Scheduler: Starting an operation IP SLA Monitor(55) echo operation: Sending an echo operation IP SLA Monitor(55) echo operation: Timeout IP SLA Monitor(55) Scheduler: Updating result no debug sla monitor trace IP SLA Monitor TRACE debugging for all operations is off