Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1393
Views
0
Helpful
5
Replies

Strange PING Problem ( ASA and Router )

karthikaravind
Level 1
Level 1

‎11-14-2010 04:41 PM - edited ‎03-11-2019 12:09 PM

Scenario:
R1 ---->>> (inside interface e0/0 sec-level 100) ASA 8.02 (outside interface e0/1 sec-level 0 ) <<<---- R2
All are directly connected.No Switch between them.

ASA Configuration:

ASA1(config)# sh run access-list 
access-list ICMP_OUT extended permit icmp any any

ASA1(config)# sh run access-group
access-group ICMP_OUT in interface inside
access-group ICMP_OUT out interface inside
access-group ICMP_OUT in interface outside
access-group ICMP_OUT out interface outside

!
interface Ethernet0/0
description ASA->R1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/1
description ASA->R2
nameif outside
security-level 0
ip address 20.1.1.1 255.255.255.0
!

Debug Messages When I try to Ping from R1 to R2

R1:
R1#ping 20.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:
....
*Mar  1 00:40:59.795: ICMP: echo reply rcvd, src 20.1.1.2, dst 10.1.1.2
*Mar  1 00:40:59.799: ICMP: echo reply rcvd, src 20.1.1.2, dst 10.1.1.2.
Success rate is 0 percent (0/5)
R1#
*Mar  1 00:41:02.315: ICMP: echo reply rcvd, src 20.1.1.2, dst 10.1.1.2
*Mar  1 00:41:02.367: ICMP: echo reply rcvd, src 20.1.1.2, dst 10.1.1.2
*Mar  1 00:41:02.719: ICMP: echo reply rcvd, src 20.1.1.2, dst 10.1.1.2

ASA1:

ASA1(config)# ICMP echo request from inside:10.1.1.2 to outside:20.1.1.2 ID=7 seq=0 len=72
ICMP echo request from inside:10.1.1.2 to outside:20.1.1.2 ID=7 seq=1 len=72
ICMP echo reply from outside:20.1.1.2 to inside:10.1.1.2 ID=7 seq=0 len=72
ICMP echo reply from outside:20.1.1.2 to inside:10.1.1.2 ID=7 seq=1 len=72
ICMP echo request from inside:10.1.1.2 to outside:20.1.1.2 ID=7 seq=2 len=72
ICMP echo request from inside:10.1.1.2 to outside:20.1.1.2 ID=7 seq=3 len=72
ICMP echo reply from outside:20.1.1.2 to inside:10.1.1.2 ID=7 seq=2 len=72
ICMP echo reply from outside:20.1.1.2 to inside:10.1.1.2 ID=7 seq=3 len=72
ICMP echo request from inside:10.1.1.2 to outside:20.1.1.2 ID=7 seq=4 len=72
ICMP echo reply from outside:20.1.1.2 to inside:10.1.1.2 ID=7 seq=4 len=72  

R2:

R2#
*Mar  1 00:39:56.403: ICMP: echo reply sent, src 20.1.1.2, dst 10.1.1.2
*Mar  1 00:39:56.407: ICMP: echo reply sent, src 20.1.1.2, dst 10.1.1.2
R2#
*Mar  1 00:40:00.415: ICMP: echo reply sent, src 20.1.1.2, dst 10.1.1.2
*Mar  1 00:40:00.419: ICMP: echo reply sent, src 20.1.1.2, dst 10.1.1.2
R2#
*Mar  1 00:40:03.031: ICMP: echo reply sent, src 20.1.1.2, dst 10.1.1.2
R2#

From the above debugs we can see that R2 has sent the reply , ASA in permitting the reply and R1 is receiving the reply.
But R1 shows success as 0%.
Also to note that my IOS is perfect and this problem occurs when I introduce ASA Between only.

Could someone help me out ?

Labels:
0 Helpful
5 Replies 5

Jennifer Halim
Cisco Employee
Cisco Employee

‎11-14-2010 04:47 PM

Please enable ICMP inspection on the global policy-map and test again.

0 Helpful

karthikaravind
Level 1
Level 1
In response to Jennifer Halim

‎11-14-2010 05:03 PM

While enabling ICMP inspection can be considered...

But a quick look at the debug messages the following can be concluded.

R1: Is getting the Ping responses.

ASA : Is receiving the request from R1 to R2 and sending the responses back to R1

R2: Is sending back the ping responses.

The problem is that R1 is showing 0% success despite it has received all the responses back.

This is my thought.Please correct me if I am wrong .

I would like to add that the following pings are successful.

R1 -> ASA Inside Interface

R2 -> ASA Outside Interface

ASA -> R1 and ASA -> R2

Message was edited by: karthikeyan M

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to karthikaravind

‎11-14-2010 05:10 PM

Actually, yes, you are right.

Just having a look at the debug again, and R1 actually did receive the Echo Reply, but not showing it as successful ping.

I am assuming that you don't have ACL applied to R1 interface, right?

If R1 actually receives the reply, it doesn't seem to be an issue with the ASA eventhough it worked before without the ASA.

0 Helpful

karthikaravind
Level 1
Level 1
In response to Jennifer Halim

‎11-14-2010 06:45 PM

No Access-lists at R1's interface

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to karthikaravind

‎11-14-2010 06:56 PM

Can you try with a different host, ie: maybe with a PC directly connected to ASA inside interface and see if ping works?

Might also try to reload the router. Don't see a reason why it won't show successful ping even though it receives the reply.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card