cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5528
Views
0
Helpful
17
Replies

traceroute througth asa is not working when ecmp error inspection is enabled

Eugene Khabarov
Level 7
Level 7

Hello, dear All!

I have problem with icmp traceroute configuration. When I enabling icmp error inspection in global policy, my traceroute results through ASA 8.2.4 looks like this:

                                                                             My traceroute  [v0.75]

                                                                                                                                     Tue Jun  7 13:33:01 2011

Keys:  Help   Display mode   Restart statistics   Order of fields   quit

                                                                                                                                        Packets               Pings

Host                                                                                                                                 Loss%   Snt   Last   Avg  Best  Wrst StDev

1. 192.168.1.247                                                                                                                      0.0%     2    0.3   0.4   0.3   0.4   0.0

2. ???

3. ???

4. ???

5. ???

6. ???

7. ???

8. destination.lan                                                                                                                  0.0%     1   29.2  29.2  29.2  29.2   0.0

When ICMP error inspection is disabled, my results looks better, but still not all hops in the path:

                                                                             My traceroute  [v0.75]

                                                                                                                                      Tue Jun  7 13:32:44 2011

Keys:  Help   Display mode   Restart statistics   Order of fields   quit

                                                                                                                                        Packets               Pings

Host                                                                                                                                 Loss%   Snt   Last   Avg  Best  Wrst StDev

1. 192.168.1.247                                                                                                                      0.0%    36    0.5   0.4   0.3   0.5   0.1

2. core-asa.lan                                                                                                                    0.0%    35    0.3   0.5   0.3   1.8   0.4

3. ???

4. ???

5. 123.123.123.1                                                                                                                        0.0%    35    2.5   5.9   1.9  41.6   9.2

6. 123.123.123.57                                                                                                                       0.0%    35   28.7  30.3  27.2 107.7  13.5

7. 123.123.123.58                                                                                                                       0.0%    35   28.4  28.6  27.6  32.9   1.0

8. destination.lan                                                                                                                  0.0%    35   29.1  30.2  28.9  33.4   0.9

icmp inspection and ttl decrement on ASA is enabled. Also I configured ACL on outside interface to permit ICMP completely.

What's the problem? Thanks in advance.

2 Accepted Solutions

Accepted Solutions

I would get to the two devices that do not show up and see if they are not blocking/not sending time exceeded message.

-KS

View solution in original post

17 Replies 17

varrao
Level 10
Level 10

Hi Eugene,

I would request you to follow the doc below to configure ASA for traceroute:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#intro

Hope this helps.

Thanks,

Varun

Thanks,
Varun Rao

Hi! Thanks. But I already performed this at first step.

Can you please paste your MPF configuration? This should include all class-map, policy-map and service-policy commands you have configured. Note: you can use "show service-policy" to see if your configured policies are being matched.

Thanks,

Brendan

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect pptp

  inspect mgcp

  inspect snmp

  inspect ip-options

  inspect ftp

  inspect icmp

class NETFLOW_ALL_CLASS

  flow-export event-type all destination 192.168.1.202

class csc_class

  csc fail-open

class class-default

  set connection decrement-ttl

!

Global policy:

  Service-policy: global_policy

    Class-map: inspection_default

      Inspect: dns preset_dns_map, packet 488771211, drop 610643, reset-drop 0

      Inspect: h323 h225 _default_h323_map, packet 44707, drop 0, reset-drop 916

               tcp-proxy: bytes in buffer 0, bytes dropped 66210

      Inspect: h323 ras _default_h323_map, packet 127581, drop 1466, reset-drop 0

      Inspect: rsh, packet 22369, drop 0, reset-drop 0

      Inspect: rtsp, packet 3404318, drop 0, reset-drop 0

               tcp-proxy: bytes in buffer 0, bytes dropped 259440

      Inspect: sqlnet, packet 226321, drop 0, reset-drop 0

      Inspect: sunrpc, packet 7878, drop 412, reset-drop 338

               tcp-proxy: bytes in buffer 0, bytes dropped 28

      Inspect: xdmcp, packet 350, drop 36, reset-drop 0

      Inspect: sip , packet 2308307, drop 0, reset-drop 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

      Inspect: netbios, packet 151697978, drop 0, reset-drop 0

      Inspect: tftp, packet 401488316, drop 664, reset-drop 0

      Inspect: pptp, packet 40620, drop 0, reset-drop 0

      Inspect: mgcp, packet 1449, drop 0, reset-drop 0

      Inspect: snmp, packet 561762523, drop 0, reset-drop 0

      Inspect: ip-options _default_ip_options_map, packet 0, drop 0, reset-drop 0

      Inspect: ftp, packet 3494988544, drop 4146, reset-drop 1541

      Inspect: icmp, packet 2173761, drop 2927, reset-drop 0

    Class-map: NETFLOW_ALL_CLASS

    Class-map: csc_class

      CSC: packet sent 323573774

      CSC: packet received 345081778

    Class-map: class-default

      Default Queueing      Set connection policy:         drop 0

      Set connection decrement-ttl

I suspect the class-map is not getting hit at all so the TTL is never being decremented. The reason is due to the ASA

only matching the first class it finds for each feature type. It is not matching the class you intend, instead I think it is matching your NETFLOW_ALL_CLASS class or possibly your csc_class. How are these classes configured?

Feature Matching Within a Service Policy

Thanks,

Brendan

MSK-iASA5520CSC-t10-u1# sh running-config class-map NETFLOW_ALL_CLASS

!

class-map NETFLOW_ALL_CLASS

match access-list NETFLOW_ALL_EXPORT

!

MSK-iASA5520CSC-t10-u1# sh running-config class-map csc_class

!

class-map csc_class

match access-list csc_inout

!

MSK-iASA5520CSC-t10-u1# sh access-list NETFLOW_ALL_EXPORT

access-list NETFLOW_ALL_EXPORT; 1 elements; name hash: 0xcb1355f3

access-list NETFLOW_ALL_EXPORT line 1 extended permit ip any any (hitcnt=384518) 0x7fd5e24c

MSK-iASA5520CSC-t10-u1# sh access-list csc_inout

access-list csc_inout; 8 elements; name hash: 0x838c79c5

access-list csc_inout line 1 extended permit tcp host 192.168.1.2 any eq www (hitcnt=1641) 0x9c990a55

access-list csc_inout line 2 extended permit tcp host 192.168.1.11 any eq www (hitcnt=742) 0x31cec72a

access-list csc_inout line 3 extended permit tcp host 192.168.1.2 any eq ftp (hitcnt=0) 0x716d034b

access-list csc_inout line 4 extended permit tcp host 192.168.1.11 any eq ftp (hitcnt=0) 0xb0426519

access-list csc_inout line 5 extended permit tcp host 10.143.4.5 any eq www (hitcnt=6144) 0xbd0bdd39

access-list csc_inout line 6 extended permit tcp host 10.143.4.5 any eq ftp (hitcnt=0) 0x60b4726f

access-list csc_inout line 7 extended permit tcp host 10.143.4.5 any eq smtp (hitcnt=0) 0x92815168

access-list csc_inout line 8 extended permit tcp host 10.143.4.5 any eq pop3 (hitcnt=0) 0x0986ac75

I modified my policy-map configuration, so now it looks like this:

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect pptp

  inspect mgcp

  inspect snmp

  inspect ip-options

  inspect ftp

  inspect icmp

class csc_class

  csc fail-open

class class-default

  set connection decrement-ttl

  flow-export event-type all destination 192.168.1.202

!

but still two hops missing.

You're missing 'inspect icmp error'. Also, not all traceroutes use ICMP traffic. Are you sure your traceroute program isn't using TCP or UDP and the traffic is being blocked by an ACL? Note: The replies when the ttl expires are always ICMP.

Thanks,

Brendan

This is the core problem. When I enabling icmp error inspection - I can't see any hops except first and last as I already said in first message.

This traceroute program using only icmp. Standard unix traceroute with flag -I say the same - two hops missing without icmp error inspection and only first and last shown if there is icmp error inspection enabled.

For trace route to work, in addition to icmp and icmp error inspection enabled you also need to allow

icmp time-exceeded and icmp unreachable via ACL from the outside to the inside (low to high) allowed.

Refer this link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

If you need the ASA to show up as one of the hops then, you need to do this in addition to the above:(you already have this configured)

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s1.html#wp1395966

-KS

Thank you. But as i already mentioned, all icmp traffic is allowed in outside acl.

ASA OS was upgrade to 8.2.5 also.

I would get to the two devices that do not show up and see if they are not blocking/not sending time exceeded message.

-KS

You right. The problem was with intermediate devices. But I still can't make it works when ICMP error inspection is enabled.

Well, got to go with asp drop captures and  icmp packets ingress and egress.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCti20726

-KS

Well, got to go with asp drop captures and  icmp packets ingress and egress.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCti20726

-KS

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: