Traceroute through ASA 5500 7.2(2)

Unanswered Question
Aug 7th, 2009
User Badges:

No matter what I do I can't make outbound traceroute through my ASA 5500 work. I've followed Cisco's recommendations and those from fellow posters here for similarly reported problems, but still no luck. What I see is a request time out at each hop except the final destination. I have the following set:


Policy:

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error


ACL on outside (public) interface:

access-list acl-public extended permit icmp any any echo-reply

access-list acl-public extended permit icmp any any echo

access-list acl-public extended permit icmp any any time-exceeded

access-list acl-public extended permit icmp any any source-quench

access-list acl-public extended permit icmp any any unreachable


Interestingly enough I can traceroute directly on the ASA to remote sites with no issue, but it fails from all hosts behind both the inside and DMZ interfaces.


I manage two other ASA/PIXs and have no issues with traceroute on those networks, but they are both running 8.0 and not 7.2 (not that this should matter.)


Any insight or diagnostic tricks to help determine what might be happening? Thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kevin Redmon Fri, 08/07/2009 - 19:51
User Badges:
  • Cisco Employee,

One of the best tools to use when diagnosing situations like this are packet captures and syslogs. Looking at your configuration above, the only thing that you should really need from an access-list standpoint is 'time-exceeded'. The 'inspect icmp' and 'inspect icmp error' commands should cover the rest.


For the packet captures, you can do the following in 7.2:


access-list TAC extended permit icmp any any


capture capin int inside packet-l 1522 buffer 512000 access-list TAC

capture capout int public packet-l 1522 buffer 512000 access-list TAC


By doing a 'show capture capout', you will be able to see all of the packets that are sent from the ASA's outside interface and what is received. If you download these capture files from the ASA (the easiest way is often 'http:///capture//pcap'), you can open this file in Wireshark/Ethereal, you can read all of the details of the flow(s).


I didn't find any bugs that are related to this issue but there have been a number of bugs resolved since 7.2(2).

brucegreed Wed, 08/12/2009 - 09:18
User Badges:

Must have been a bug in 7.2(2). I updated to 7.2(4) and it fixed it. Thanks.

Actions

This Discussion