cannot ssh or ping or snmp asa8.05 interface

Unanswered Question
Feb 19th, 2010

After I upgraded to 8.05 from 8.04 I lost my ability to monitor and access an interface on my ASA from devices behind the same interface to be monitored. ASA interface NAC-wifi-dmz2 [10.10.2.10] needs to be monitored by 10.12.1.106 via snmp, icmp, & ssh. Server 10.12.1.106 can be reached via 10.10.2.1 and can be ping by ASA interface NAC-wifi-dmz2:

*************************************************************************************


interface Ethernet0/0.402

vlan 402

nameif NAC-wifi-dmz2

security-level 0

ip address 10.10.2.10 255.255.255.0 standby 10.10.2.11


*************************************************************************************


chASA01# ping NAC-wifi-dmz2 10.12.1.106

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.12.1.106, timeout is 2 seconds:

!!!!!

**************************************************************************************


chASA01# sh route NAC-wifi-dmz2 10.12.1.106


Gateway of last resort is 64.125.212.1 to network 0.0.0.0


C    10.10.2.0 255.255.255.0 is directly connected, NAC-wifi-dmz2

S    10.0.0.0 255.0.0.0 [1/0] via 10.10.2.1, NAC-wifi-dmz2

S    10.12.1.106 255.255.255.255 [1/0] via 10.10.2.1, NAC-wifi-dmz2

**************************************************************************************


chASA01# sh run | in snmp

snmp-server host NAC-wifi-dmz2 10.12.1.106 community *****

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

**************************************************************************************

chASA01# sh run | in ssh

ssh 10.12.1.0 255.255.255.0 NAC-wifi-dmz2

ssh 10.12.1.106 255.255.255.255 NAC-wifi-dmz2

ssh timeout 5

**************************************************************************************


chASA01# sh run icmp   

icmp unreachable rate-limit 1 burst-size 1

icmp permit any NAC-wifi-dmz2

icmp permit host 10.12.1.106 echo-reply NAC-wifi-dmz2

*************************************************************************************


chASA01(config)# sh run access-group

access-group 105 in interface NAC-wifi-dmz2

*************************************************************************************


chASA01(config)# sh run | in access-list 105

access-list 105 extended permit tcp any any

access-list 105 extended permit icmp any any

access-list 105 extended permit udp any any

access-list 105 extended permit gre any any

access-list 105 extended permit esp any any

*************************************************************************************


When I try to connect via snmp, ping & ssh from 10.12.1.106 I get this messages:

%ASA-2-106006: Deny inbound UDP from 10.12.1.106/58078 to 10.10.2.10/161 on interface NAC-wifi-dmz2

%ASA-2-106001: Inbound TCP connection denied from 10.12.1.106/39112 to 10.10.2.10/22 flags SYN  on interface NAC-wifi-dmz2

%ASA-3-106014: Deny inbound icmp src NAC-wifi-dmz2:10.12.1.106 dst NAC-wifi-dmz2:10.10.2.10 (type 8, code 0)


Can someone help me figure out what the problem here is?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kureli Sankar Fri, 02/19/2010 - 16:57

does "sh fail" status show ok?

Are you able to ping the standby IP 10.10.2.11 ?


remove this icmp permit host 10.12.1.106 echo-reply NAC-wifi-dmz2 and try the ping again. That line only lets the firewall ping the host and not the other way around.


-KS

ajamua Fri, 02/19/2010 - 19:25

I can ping the standby IP:

-bash-2.05b# ping 10.10.2.11

PING 10.10.2.11 (10.10.2.11): 56 data bytes

64 bytes from 10.10.2.11: icmp_seq=0 ttl=253 time=1.756 ms

64 bytes from 10.10.2.11: icmp_seq=1 ttl=253 time=1.362 ms

64 bytes from 10.10.2.11: icmp_seq=2 ttl=253 time=1.418 ms

^C

--- 10.10.2.11 ping statistics ---

3 packets transmitted, 3 packets received, 0% packet loss

round-trip min/avg/max/stddev = 1.362/1.455/1.756/0.138 ms

-bash-2.05b# ping 10.10.2.10

PING 10.10.2.10 (10.10.2.10): 56 data bytes

^C

--- 10.10.2.10 ping statistics ---

9 packets transmitted, 0 packets received, 100% packet loss


And the failover information looks fine:

chASA01# sh fail

Failover On

Failover unit Primary

Failover LAN Interface: wireless-state-int Ethernet0/3 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 9 of 250 maximum

failover replication http

Version: Ours 8.0(5), Mate 8.0(5)

Last Failover at: 21:10:07 EST Feb 13 2010

This host: Primary - Active

Active time: 521780 (sec)

slot 0: ASA5510 hw/sw rev (2.0/8.0(5)) status (Up Sys)

Interface NAC-wifi-dmz2 (10.10.2.10): Normal

Interface management (10.10.1.15): Normal

slot 1: empty

Other host: Secondary - Standby Ready

Active time: 0 (sec)

slot 0: ASA5510 hw/sw rev (2.0/8.0(5)) status (Up Sys)

Interface NAC-wifi-dmz2 (10.10.2.11): Normal

Interface management (10.10.1.16): Normal

slot 1: empty

Actions

This Discussion