dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
657
share rss forum feed


Clever_Proxy
Premium
join:2004-05-14
Villa Park, IL

[HELP] Unable to get traceroutes to work right on an ASA5510

I have a strange and annoying issue with an ASA5510. A traceroute within my network to the outside world never allows responses from the hops between the first and last hops. However, traceroutes directly from the CLI of the ASA work fine. There appears to be no other obvious issues with this network setup.

C:\Users\me>tracert google.com
 
Tracing route to google.com [74.125.142.139]
over a maximum of 30 hops:
 
  1     1 ms     1 ms     1 ms  10.10.30.1
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12     *        *        *     Request timed out.
 13    43 ms    32 ms    15 ms  ie-in-f139.1e100.net [74.125.142.139]
 
Trace complete.
 

10.10.30.1 is not the ASA. It's a core switch on this network. There are no ACLs on this VLAN so I'm positive it's not a switch config issue.

Outbound ACLs on the router allows all IP and ICMPv4 traffic except for SMTP (25).

I feel like I'm missing something really stupid here. Any ideas?


LondonDave
Premium
join:2011-09-05
London, ON

See this thread: »ASA Traceroute from PC


cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:9

1 recommendation

That's not his issue (i.e. the asa showing up in the traceroute.) His ASA is killing the ICMP traffic in one way or another.

My money is on acl's, despite what the OP has said. Following that would be any policy map configuration.

Watch the log, there should be numerous "packet dropped" messages.



Clever_Proxy
Premium
join:2004-05-14
Villa Park, IL

I'm actually noticing UDP connections established from my host machine to the destination it's testing. No denies are showing up in the log.

From my previous traceroute, 10.10.30.1 is a core switch, it's the not the ASA. The ASA is not showing up in the traceroute. The ASA would technically be hop 2.



Clever_Proxy
Premium
join:2004-05-14
Villa Park, IL

1 edit
reply to cramer

[SOLVED] Unable to get traceroutes to work right on an ASA5510

It was the policy map configuration...

policy-map global_policy
 class icmp-class
  inspect icmp
  set connection decrement-ttl
 class icmperror-class
  inspect icmp error
  set connection decrement-ttl
 

Thanks!

EDIT: Changed the policy-map around so the ttl is decremented correctly via the ASA.