Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Reverse Route Verification on ASA

I was testing to see if I was having asymmetric routing to an ASA inside interface from a router. The following does not work and

on the ASA I get error ASA-3-313001: Denied ICMP type=8, code=0 ....

R1#ping
Protocol [ip]:
Target IP address: x.x.x.x
Repeat count [5]: 2
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: n.n.n.n
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]: RNumber of hops [ 9 ]:
Loose, Strict, Record, Timestamp, Verbose[RV]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to x.x.x.x, timeout is 2 seconds:
Packet sent with a source address of n.n.n.n
Packet has IP options:  Total option bytes= 39, padded length=40

Record route: <*>
   (0.0.0.0)
   (0.0.0.0)
   (0.0.0.0)
   (0.0.0.0)
   (0.0.0.0)
   (0.0.0.0)
   (0.0.0.0)
   (0.0.0.0)
   (0.0.0.0)

Request 0 timed out
Request 1 timed out

However this works fine when I do a simple source ping.

R1# ping x.x.x.x source n.n.n.n

Anyone have any idea what the ASA might be doing with the Record option?

Everyone's tags (3)
3 REPLIES

Reverse Route Verification on ASA

We are missing info,

Where is the router located?

What NAT do u have in place?

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Community Member

Reverse Route Verification on ASA

Sorry I forgot to say this is strictly from a router ( 5 hops away) on the inside going to the ASA inside interface.

Community Member

Reverse Route Verification on ASA

I think I figured it out. Max hop count allow is 9 here which results in the request timed out for the return path.

The error on the ASA though is questionable. Either way it is not a concrete test because of the > 9 hops

147
Views
0
Helpful
3
Replies
CreatePlease to create content