Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
788
Views
0
Helpful
4
Replies

Cisco ASA failover can't ping gateway

Go to solution
isoalbert
Level 1
Level 1

‎07-05-2013 02:35 AM - edited ‎03-11-2019 07:07 PM

I'm currently trying to set up a failover network for my Cisco ASA 55x0 using the SLA traking. I have the "outside" interface (network 89.x.x.48/29) and the "outside2" interface (network 192.168.70.0/24).

  track 1 rtr 1 reachability
  sla monitor 1
    type echo protocol ipIcmpEcho 89.x.x.49 interface outside
  sla monitor  schedule 1 start-time now life forever
  route outside 0.0.0.0 0.0.0.0 89.x.x.49 128  track 1

As you can see I set up the ping on IP 89.x.x.49, this one reply when I try to ping from my computer that is in the "inside" network:

$ ping 89.x.x.49

Pinging 89.x.x.49 with 32 bytes of data:
Reply from 89.x.x.49: bytes=32 time=1ms TTL=255
Reply from 89.x.x.49: bytes=32 time=1ms TTL=255
Reply from 89.x.x.49: bytes=32 time=1ms TTL=255
Reply from 89.x.x.49: bytes=32 time=1ms TTL=255

Ping statistics for 89.x.x.49:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 1ms, Average = 1ms

In the picture there is my problem: seems there is a rule on the Cisco that block all the echo-replies from the ip 89.x.x.49 to the firewall, despite I can reach it using my computer and it can reply to my computer.

Labels:
Preview file
6 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to isoalbert

‎07-05-2013 02:57 AM

Hi,

This is the culprit:

icmp deny any outside

just do this:

config t

icmp permit 89.x.x 49  255.255.255.255 outside

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
isoalbert
Level 1
Level 1

‎07-05-2013 02:36 AM

Here the capture on the outside interface, the behavior seems correct, but the Cisco ASA always denies all the echo-replies toward it.

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to isoalbert

‎07-05-2013 02:41 AM

Hi,

Can you post sh run icmp output.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
isoalbert
Level 1
Level 1
In response to cadet alain

‎07-05-2013 02:50 AM

firewall# sh run icmp

icmp unreachable rate-limit 1 burst-size 1

icmp deny any outside

I think you found where is my problem :-)

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to isoalbert

‎07-05-2013 02:57 AM

Hi,

This is the culprit:

icmp deny any outside

just do this:

config t

icmp permit 89.x.x 49  255.255.255.255 outside

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card