Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA5505 do not allow ping to connected vlan

Hi All,

We have a ASA5505 which does not allow ping to connected vlans

PCA -- CRSW -- ASA5510  -----------VPN----------- ASA5505  -- SW -- Users (PCX)

ASA5505

Data Vlan - 10.9.2.253

XX Vlan - 10.9.3.253

SW -- 10.9.2.1

PCX - 10.9.2.10

PCA can ping 10.9.2.253, but can not ping 10.9.2.1 and 10.9.2.10, below is the packet tracer which says host-limit block

can i get any suggestions please, many thanks for the support

cheers..

BJ-FW01# packet-tracer input daTA-VLAN icmp 10.9.2.1 8 0 10.3.1.5 detailed

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xca126b60, priority=1, domain=permit, deny=false

        hits=425, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0100.0000.0000

        input_ifc=DATA-VLAN, output_ifc=any

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         OUTSIDE

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group ACL_DATA-VLAN in interface DATA-VLAN

access-list ACL_DATA-VLAN extended permit icmp any any echo

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xca16fa70, priority=13, domain=permit, deny=false

        hits=35, user_data=0xc82824b0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=8

        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0

        input_ifc=DATA-VLAN, output_ifc=any

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xca12a9c8, priority=0, domain=inspect-ip-options, deny=true

        hits=235, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=DATA-VLAN, output_ifc=any

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xca12a5b0, priority=66, domain=inspect-icmp-error, deny=false

        hits=40, user_data=0xca129bc8, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0

        input_ifc=DATA-VLAN, output_ifc=any

Phase: 6

Type: HOST-LIMIT

Subtype:

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xc72790a0, priority=0, domain=host-limit, deny=false

        hits=221, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=DATA-VLAN, output_ifc=any

Result:

input-interface: DATA-VLAN

input-status: up

input-line-status: up

output-interface: OUTSIDE

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

1 ACCEPTED SOLUTION

Accepted Solutions

ASA5505 do not allow ping to connected vlan

Hello Sr,

This basically means that you are reaching the host count limit,

If you do a show version you will see the amount of hosts that could use the ASA,

Do a show local-host and compare the outputs to see ifyou are indeed reaching the limit

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
3 REPLIES

ASA5505 do not allow ping to connected vlan

Hello Sr,

This basically means that you are reaching the host count limit,

If you do a show version you will see the amount of hosts that could use the ASA,

Do a show local-host and compare the outputs to see ifyou are indeed reaching the limit

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Community Member

ASA5505 do not allow ping to connected vlan

many thanks for the quick reply, we got it fixed as you mentioned the log show license host limit exc.. 0  on further check we learned the version 8.4(6) had this issue we downgraded to 8.4(5) and that fixed the issue

thanks  again

cheers.

ASA5505 do not allow ping to connected vlan

Hello,

Exactly, there is a bug related to that (that's why I wanted the show version),

Please mark the question as answered

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
187
Views
0
Helpful
3
Replies
CreatePlease to create content