tracert's through asa fw's respond with icmp timeouts

Unanswered Question
Apr 15th, 2008

Does anyone know how to setup the asa's to not respond with icmp timeouts when a windows machine runs tracerts through them? The hops through the asa always respond with timeouts (hop 2 and 3 in this case).


C:\>tracert -d

Tracing route to over a maximum of 30 hops

1 <1 ms <1 ms <1 ms

2 * * * Request timed out.

3 * * * Request timed out.

4 80 ms 32 ms 27 ms


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
htarra Mon, 04/21/2008 - 12:20

When you ping to a non existant address then the router that receives the ping request and realizes that the destination address is not reachable will generate an ICMP unreachable error message and send it to the originator of the ping. However Cisco Device rate limit their ping responses (as a mechanism to help protect against Denial of Service attacks against the router). The router is receiving 5 requests which can not be forwarded and sends the ICMP error to 3. The other 2 are rate limited.

swharvey Mon, 04/21/2008 - 12:27

Thanks for the response. Understandably, pings and trace routes both use icmp, and the case of my trace attempts, I am tracing with icmp to an existent ip address, and receive timeouts when reaching the asa/fwsm hop.

This is not the case with our Juniper ISP firewalls and traces to existing/legimate ip addresses do not time out when the hop count reaches the ASA/FWSM's.

What configuration changes can be made to the ASA/FWSM's to prevent icmp's for the trace from timing out when traversing the ASA/FWSM's?



This Discussion