IP SLA Tracking on Cisco ASA

What do you all use for IP SLA tracking on the Cisco ASA? It seems as though most people use 8.8.8.8 but I’m not so sure this is a good idea. This is Google’s DNS and it seems to me that Google can decide to block those pings any time they want. Another rule of thumb I’ve heard is that some go into a few hops into the ISP and choose one of their devices. But, if they ever do maintenance or make changes that’ll flip my Internet connection over to something. Please let me know what you use and if there’s perhaps something better suited to IP SLA tracking that I should be using. Thank you.

Hello Mike

Yes, you make a good point. Ultimately, for any IP SLA that tests Internet connectivity, you are subject to the availability and reliability of the target you choose. In general, 8.8.8.8 is an IP address used by literally billions of hosts, so as a service, it is highly unlikely it will fail, barring a natural disaster of epic proportions :astonished:. But of course, as you suggest, Google may choose at any time to block pings.

Ultimately you should use a destination that you can be confident will not fail, and will not change. Using a destination a few hops into your ISP is a good idea, but can be subject to scheduled or unscheduled changes. If you want to use such an option, talk to your ISP and ask them to suggest to you the address to use. If you require it, you can agree with contractually that they will inform you ahead of time of any changes made to such an address.

Typically the IP address of the interface via which they connect to their Tier-2 ISP or another Tier-3 ISP may be good to use since they never want those to go down even during maintenance, as it will be a violation of their contracts with those ISPs.

Even so, I personally use 8.8.8.8 for IP SLAs of this sort most of the time, as the expected reliability is more than enough for what I need.

I hope this has been helpful!

Laz

Thank you for your response Laz! Let me as you this, what do you think of using the root DNS servers? Those too would probably almost never go down, but some are pingable and some are not. My fear in using that would be that they decide to tighten security and then start blocking pings.

Hello Mike

Yes, that would be a good choice too. You can never be 100% sure if someone will block pings at some point.

However, if extreme reliability in your IP SLA is something you really need, what you can do is track two destinations on the Internet and consider the SLA failed if both fail.

You can set up Google’s DNS and a root DNS server as your destinations for example. It is astronomically rare to have both Google and the DNS root go down simultaneously or have their administrators block pings at the same time. So if you lose connectivity to both, it will only be due to the failure of your connection to the Internet.

You can do this using the track list boolean or command. More information on syntax and configuration can be found here:

I hope this has been helpful!

Laz

Thank you for the response! Last question on this topic and I promise I won’t bother you again…do you think I can track two hosts on a Cisco ASA? Looks like the link you posted was for a router. Thanks again!

Hello Mike

Yes, this is a good point. Based on a bit of research I’ve done, I have found that the boolean feature is not available on the ASA, so it is not possible to implement this on an ASA. However, you can get around this limitation and essentially implement the same things using some creative configurations. You can actually see such a solution at the following link:

I hope this has been helpful!

Laz

Wow…great find and thank you for the link! Much appreciated.

1 Like