I'm currently trying to set up a failover network for my Cisco ASA 55×0 using the SLA traking. I have the "outside" interface (network 89.x.x.48/29) and the "outside2" interface (network 192.168.70.0/24).
track 1 rtr 1 reachability
sla monitor 1
type echo protocol ipIcmpEcho 89.x.x.49 interface outside
sla monitor schedule 1 start-time now life forever
route outside 0.0.0.0 0.0.0.0 89.x.x.49 128 track 1
As you can see I set up the ping on IP 89.x.x.49, this one reply when I try to ping from my computer that is in the "inside" network:
$ ping 89.x.x.49
Pinging 89.x.x.49 with 32 bytes of data:
Reply from 89.x.x.49: bytes=32 time=1ms TTL=255
Reply from 89.x.x.49: bytes=32 time=1ms TTL=255
Reply from 89.x.x.49: bytes=32 time=1ms TTL=255
Reply from 89.x.x.49: bytes=32 time=1ms TTL=255
Ping statistics for 89.x.x.49:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms
In the picture there is my problem: seems there is a rule on the Cisco that block all the echo-replies from the ip 89.x.x.49 to the firewall, despite I can reach it using my computer and it can reply to my computer.
UPDATE:
Here the capture on the outside interface, the behavior seems correct, but the Cisco ASA always denies all the echo-replies toward it.
Best Answer
Found the solution: the icmp packets were denied.