Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco ASA failover can't ping gateway

I'm currently trying to set up a failover network for my Cisco ASA 55x0 using the SLA traking. I have the "outside" interface (network 89.x.x.48/29) and the "outside2" interface (network 192.168.70.0/24).

  track 1 rtr 1 reachability
  sla monitor 1
    type echo protocol ipIcmpEcho 89.x.x.49 interface outside
  sla monitor  schedule 1 start-time now life forever
  route outside 0.0.0.0 0.0.0.0 89.x.x.49 128  track 1

As you can see I set up the ping on IP 89.x.x.49, this one reply when I try to ping from my computer that is in the "inside" network:

$ ping 89.x.x.49

Pinging 89.x.x.49 with 32 bytes of data:
Reply from 89.x.x.49: bytes=32 time=1ms TTL=255
Reply from 89.x.x.49: bytes=32 time=1ms TTL=255
Reply from 89.x.x.49: bytes=32 time=1ms TTL=255
Reply from 89.x.x.49: bytes=32 time=1ms TTL=255

Ping statistics for 89.x.x.49:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 1ms, Average = 1ms

In the picture there is my problem: seems there is a rule on the Cisco that block all the echo-replies from the ip 89.x.x.49 to the firewall, despite I can reach it using my computer and it can reply to my computer.

1 ACCEPTED SOLUTION

Accepted Solutions
Purple

Cisco ASA failover can't ping gateway

Hi,

This is the culprit:

icmp deny any outside

just do this:

config t

icmp permit 89.x.x 49  255.255.255.255 outside

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
4 REPLIES
New Member

Cisco ASA failover can't ping gateway

Here the capture on the outside interface, the behavior seems correct, but the Cisco ASA always denies all the echo-replies toward it.

Purple

Cisco ASA failover can't ping gateway

Hi,

Can you post sh run icmp output.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
New Member

Re: Cisco ASA failover can't ping gateway

firewall# sh run icmp

icmp unreachable rate-limit 1 burst-size 1

icmp deny any outside

I think you found where is my problem :-)

Purple

Cisco ASA failover can't ping gateway

Hi,

This is the culprit:

icmp deny any outside

just do this:

config t

icmp permit 89.x.x 49  255.255.255.255 outside

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
300
Views
0
Helpful
4
Replies