Solved: ASA 5540 - unable to ping inside interface

IgorHamzic · ‎10-10-2008

Hi all. We have recently upgraded from PIX to ASA5540 and we have seen a rather strange thing going on. In a nutshell we can ping the inside interface of the ASA from any network range on our 6500(which is connected directly behind the ASA on the inside) except one in which our monitoring tools are placed. On the inside interface there is an ACL that permits everything from our core networks but it doesn't help which is really strange.

In the ASDM I can see messages like this:

IDS:2004 ICMP echo request from x.x.x.x to y.y.y.y on interface inside. I don't think that this is the problem but I could be wrong.

Here is also the configuration of the VLAN interface for the VLAN from which we cannot ping the inside interface altough we can ping to and from that VLAN and the machines without problem. The only problem is pinging the inside interface of the ASA.

interface Vlanx

ip address x.x.x.x 255.255.255.0

ip directed-broadcast 199

ip accounting output-packets

ip pim sparse-dense-mode

ip route-cache flow

load-interval 30

Did anyone encounter problem like this before? Thanks in advance for any help.

andrew.prince · ‎10-10-2008

Can you post the output of the following on the ASA:-

show route

And the output of your core layer routing device:-

show ip route <>

HTH>

View solution in original post

andrew.prince · ‎10-10-2008

Igor,

You have supplied the wrong config, it's unlikely to be a SVI config issue - rather than a basic routing issue.

Does the ASA know how to get back to the monitoring tools vlan?

route inside x.x.x.x y.y.y.y z.z.z.z

x.x.x.x = monitoring tools vlan IP range

y.y.y.y = subnet mask

z.z.z.z = next hop layer 3 routing IP

HTH>

IgorHamzic · ‎10-10-2008

Yes it can route back to that network because from ASA I can ping all the PC's, servers etc. in that network.

It was the first thing I checked.

andrew.prince · ‎10-10-2008

You are not being consistant - you state above you can ping pc's and server in that network, but your initial post you state "In a nutshell we can ping the inside interface of the ASA from any network range on our 6500(which is connected directly behind the ASA on the inside) except one in which our monitoring tools are placed"

Which actually indicates the monitoring tools are in a seperate network?

Please clarify.

IgorHamzic · ‎10-10-2008

That's right. The monitoring tools are in a separate network. From the ASA we can ping every server,PC etc. in the core LAN no matter in what network they are in.

From the core LAN we can ping the inside interface of the ASA from all networks except from the network in which the monitoring tools are located which is weird because I can ping the monitoring servers from the ASA.

andrew.prince · ‎10-10-2008

Can you post the output of the following on the ASA:-

show route

And the output of your core layer routing device:-

show ip route <>

HTH>

IgorHamzic · ‎10-10-2008

I found the problem. It really was in the routing. I found the problem in the routing table where one digit was off.

Thanks for your help.

andrew.prince · ‎10-10-2008

np - glad to help.

negamartintap · ‎11-26-2014

hello

I have the same problem, but do not understand how the route should be created in the core layer routing device .