Request timeout errors with successful tracerouts on asa firewalls

Unanswered Question
Apr 19th, 2007
User Badges:

We are running an asa5540 on 7.2(2)18 code and have an odd problem where internal WinXP or Linux devices, tracerouting to external addresses, are sucessful but receive three sets of request-timeouts occur through the hops of the firewall. Even more odd, is that traceroutes from the same internal host systems to a public external address two hops outside the firewall, trace find with no timeout errors. Regarding ACL's, the internal interface permits full ip access for the inside hosts, and on the outside interface, icmp filters are in place to permit needed functions (i.e. time-exceed, unreachable, echo-replies). Below are example traces fromt the internal WinXP system, one trace with the timeouts, and one trace 2 hops out that has no issues:


C:\>tracert -d 198.217.36.2


Tracing route to 198.217.36.2 over a maximum of 30 hops


1 <1 ms 1 ms <1 ms 10.1.7.2

2 * * * Request timed out.

3 * * * Request timed out.

4 * * * Request timed out.

5 <1 ms <1 ms <1 ms 206.161.58.49

6 1 ms <1 ms <1 ms 66.192.250.136

7 3 ms 2 ms 2 ms 66.192.250.17

8 3 ms 3 ms 2 ms 66.192.251.27

9 2 ms 2 ms 2 ms 66.192.252.6

10 3 ms 4 ms 3 ms 151.164.191.9

11 7 ms 7 ms 7 ms 198.217.36.2



C:\>tracert -d 216.150.151.50


Tracing route to 216.150.151.50 over a maximum of 30 hops


1 <1 ms <1 ms <1 ms 10.1.7.2

2 2 ms 1 ms 5 ms 216.150.126.68

3 <1 ms <1 ms <1 ms 216.150.127.50


Trace complete.


Any advice on this issue would be appreciated.


Thanks,


-Scott

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
justincohen Sun, 11/30/2008 - 13:18
User Badges:

Did you ever resolve this? I am having a similar problem.

justincohen Sun, 11/30/2008 - 21:08
User Badges:

In my case this is on a 2811 not an ASA but same problem.


Upon enabling debug ip icmp I get the following when I try to do a traceroute...


Protocol [ip]:

Target IP address: 10.5.1.15

Source address: 192.168.2.1

Numeric display [n]:

Timeout in seconds [3]:

Probe count [3]:

Minimum Time to Live [1]:

Maximum Time to Live [30]:

Port Number [33434]:

Loose, Strict, Record, Timestamp, Verbose[none]: v

Loose, Strict, Record, Timestamp, Verbose[V]:

Type escape sequence to abort.

Tracing the route to 10.5.1.15


1 * * *

2 10.5.1.15 48 msec 80 msec 48 msec



Dec 1 05:05:06.631: ICMP: dst (192.168.2.1) port unreachable rcv from 10.5.1.15

Dec 1 05:05:06.727: ICMP: dst (192.168.2.1) port unreachable rcv from 10.5.1.15

Dec 1 05:05:06.779: ICMP: dst (192.168.2.1) port unreachable rcv from 10.5.1.15




(FYI, 192.168.2.1 is the 2811, and 10.5.1.15 is the device on the far side)

Actions

This Discussion