Not able to do tracert on ASA5510

Answered Question
May 17th, 2010

Have ASA5510 and first thing i like to is to open tracert so please  help with entry.

Also our connection is not stable and  sometimes connection goes down or some sites don't open up.  As you go  through the configs you can see it's hard-coded with 1000/full and the  router 1841 that attached to this 10/100.  Can this be issue that  connection is not stable and also can we remove 1000/full coded and set to auto-negotiate.

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 6 years 6 months ago

You would also need to add the following:

access-list 100 permit icmp any any

icmp unreachable rate-limit 50 burst-size 6

class-map decrement-ttl-class

     match any

policy-map global_policy
  class inspection_default

     inspect icmp error

  class decrement-ttl-class

   set connection decrement-ttl

Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jennifer Halim Mon, 05/17/2010 - 21:02

You would also need to add the following:

access-list 100 permit icmp any any

icmp unreachable rate-limit 50 burst-size 6

class-map decrement-ttl-class

     match any

policy-map global_policy
  class inspection_default

     inspect icmp error

  class decrement-ttl-class

   set connection decrement-ttl

Hope that helps.

lawsuites Mon, 05/17/2010 - 21:10

thank you very much halijenn.

Can you also give me any advise on our connection issue:

"Also our connection is not stable and  sometimes connection goes down or  some sites don't open up.  As you go  through the configs you can see  it's hard-coded with 1000/full and the  router 1841 that attached to  this 10/100.  Can this be issue that  connection is not stable and also  can we remove 1000/full coded and set to auto-negotiate."

Jennifer Halim Mon, 05/17/2010 - 21:12

Yes, I would suggest that you change it to auto negotiate on both end, ie: the ASA interface as well as the switch/router interface connected to it.

lawsuites Mon, 05/17/2010 - 21:18

Halijenn that's whrere i am weak at.  Can you please give me the entries how to to do that, i don't want to make any mistakes. Thanks you again you have helped me alot.

Jennifer Halim Mon, 05/17/2010 - 21:22

Is it connected to the router directly, or through a switchport?

Here is the configuration on the ASA:

interface Ethernet0/1
  speed auto
  duplex auto

Please also make sure that you configure the same on the switch port or router port which is connected to the ASA eth0/1 interface.

lawsuites Tue, 05/18/2010 - 18:41

With you're help i am able to tracert and able to fix the 1000/full.

one issue since i made the changes speically with tracert suddnelly my Blackberry stop syncing with our server.  I can't send or recive email.  Does that have to do anything with these changes.

"access-list 100 permit icmp any any

icmp unreachable rate-limit 50 burst-size 6

class-map decrement-ttl-class

     match any

policy-map global_policy
  class inspection_default

     inspect icmp error

  class decrement-ttl-class

   set connection decrement-ttl"
Jennifer Halim Tue, 05/18/2010 - 18:56

Great to hear both issues are resolved. Please kindly mark question answered and rate.

I don't believe the tracert changes impacted the Blackberry communication.

You can try removing the following and see if that resolves the Blackberry communication:

policy-map global_policy

     no class decrement-ttl-class

If that doesn't fix the Blackberry comm, you can place the configuration back in:

policy-map global_policy

   class decrement-ttl-class

   set connection decrement-ttl

Hope that helps.

lawsuites Tue, 05/18/2010 - 19:30

thanks will do that.  sorry to keep bothering you one more question: on tracert the second hop in middle it's lap(i think)...can you advise


Tracing route to google.com [66.249.91.104]
over a maximum of 30 hops:

  1    <1 ms     1 ms    <1 ms  ..dell switch ip
  2    <1 ms     *       <1 ms  xx.xxx.xxx. ...is this an issue.  (this ip comes in on asa5510 config on first eithernet 0/0 ..wire is connected with asa5510 and cisco 1841)
  3     2 ms     2 ms     2 ms  gi0-3.na31.b002958-0.jfk01.atlas.cogentco.com [x
x.xxx.xxx.xx)
  4    <1 ms    <1 ms    <1 ms  gi1-46.3929.mpd01.jfk01.atlas.cogentco.com [xx.x
x.xx.253]
  5     1 ms    <1 ms    <1 ms  te0-3-0-7.mpd22.jfk02.atlas.cogentco.com [154.54
.1.209]
  6     1 ms     1 ms     1 ms  te4-7.mpd01.jfk05.atlas.cogentco.com [154.54.6.5
0]
  7     1 ms     1 ms     1 ms  te1-1.ccr02.jfk05.atlas.cogentco.com [154.54.3.1
61]
  8     1 ms     1 ms     1 ms  core1-0-0-8.lga.net.google.com [198.32.118.39]
  9     1 ms     1 ms     1 ms  209.85.248.180
10     1 ms     1 ms     1 ms  209.85.241.148
11     1 ms     1 ms     1 ms  lga15s02-in-f104.1e100.net [66.249.91.104]

Jennifer Halim Wed, 05/19/2010 - 00:01

Sorry, can you please clarify your question on the ASA hop? I don't quite understand what you are trying to ask.

lawsuites Wed, 05/19/2010 - 07:18

As you can see on tracert..first hop is fine (that is our dell switch), second hope which connect with our firewall(asa5510)

have * in the middle rather then number....i asking is there packet drop or connection drop when connection go through our firewall

second hope is like this   2    <1 ms     *       <1 ms  xx.xxx.xxx.(firewall ip)

lawsuites Wed, 05/19/2010 - 19:06

Sorry to keep bothering you...one more question...since i made the change for tracert and 1000/full...outlook outgoing message start getting stuck in queu (on server)...is this some how releted to this entry.....

i removed the 1000/full on 0/1 ethernet and made it auto...this line is connected with firewall to our dell switch...any suggestion....

Jennifer Halim Wed, 05/19/2010 - 22:51

Dont' think the mail issue is related. Unless that particular interface that you change to auto negotiate didn't negotiate to the right speed and duplex.

You can hard code it to the same speed on both the ASA interface and the Dell switch interface. Just make sure that they are exactly the same. Prior to the change, your switch is on 10/100 while the ASA is on 100/1000 and you have manually hard coded it to 1000 hence it's not matching.

Actions

This Discussion