Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
477
Views
0
Helpful
4
Replies

Traceroute issue in ASA (not solved by other threads)

adrianopinaffo1
Level 1
Level 1

‎08-21-2014 03:41 PM - edited ‎03-11-2019 09:39 PM

Hello,

I know this has been going on for a long time, but I'm facing the traceroute issue in the ASA. Weirdly enough, I can reach the destination using traceroute with no problem, but I can't see the path to it. I pasted the result below.

I also checked my ASA configuration and the only setting that is not present is the "match any " for the "class-map class_default", because when I enter "class-map class_default" I get the following warning:


ASA(config)# class-map class-default
ERROR: % class-default is a well-known class and is not configurable under class-map

Can you guys help me? I posted below the tracert output and the concerned configuration. I can't find the misfit and I already checked most of the configuration forums.

C:\>tracert www.google.com

Tracing route to www.google.com [173.194.79.104]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  10.0.0.1
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12     *        *        *     Request timed out.
 13     *        *        *     Request timed out.
 14     *        *        *     Request timed out.
 15     *        *        *     Request timed out.
 16     *        *        *     Request timed out.
 17     *        *        *     Request timed out.
 18     *        *        *     Request timed out.
 19     *        *        *     Request timed out.
 20     *        *        *     Request timed out.
 21     *        *        *     Request timed out.
 22     *        *        *     Request timed out.
 23   212 ms   212 ms   212 ms  pb-in-f104.1e100.net [173.194.79.104]

Trace complete.

---Router configuration

icmp unreachable rate-limit 10 burst-size 5
!
!
!
object-group service ICMP_Return
 service-object icmp echo-reply
 service-object icmp time-exceeded
 service-object icmp traceroute
 service-object icmp unreachable
 service-object icmp6 echo-reply
 service-object icmp6 time-exceeded
 service-object icmp6 unreachable
!
!
!
access-list IF_outside_access_in remark ICMP Return
access-list IF_outside_access_in extended permit object-group ICMP_Return any any
!
!
!
access-group IF_outside_access_in in interface IF_outside
!
!
!
class-map class_default
!--- This does not exit -> match any 
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
!
policy-map global_policy
 class class-default
  set connection decrement-ttl
service-policy global_policy global

Labels:
0 Helpful
4 Replies 4

Saqib Raza
Level 1
Level 1

‎08-22-2014 06:29 AM

I am assuming that 10.0.0.1 is the ip address on ASA?  if that is true you communication is not breaking on ASA since you see first hope in your trace route.... what is the next hop in path after ASA

 

 

0 Helpful

adrianopinaffo1
Level 1
Level 1
In response to Saqib Raza

‎10-30-2014 03:46 PM

Hello, it's not. 10.0.0.1 is my default gateway, a local router.

Something that is worth mentioning is, traceroute works for other ASA interfaces (DMZ). It only fails for the external interface.

Look:

c:\> tracert 10.0.100.50

Tracing route to webserver.corp.mycompany.com [10.0.100.50]
over a maximum of 30 hops:

  1     3 ms     3 ms     2 ms  10.0.0.1
  2    <1 ms    <1 ms    <1 ms  10.0.0.2 <- This is the ASA
  3     1 ms     1 ms     1 ms  webserver.corp.mycompany.com [10.0.100.50]

Trace complete.

Any ideas?

0 Helpful

Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to adrianopinaffo1

‎10-30-2014 08:48 PM

Hi,

Can you provide your configuration ?

Also , have you gone through this document to verify the configuration on the ASA device for the Trace route to run through the ASA device:-

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/15246-31.html

Please let me know from where are you trying the trace route ? Is is the Internal Host ?

Thanks and Regards,

Vibhor Amrodia

0 Helpful

Aref Alsouqi
VIP
VIP

‎10-30-2014 04:25 PM

Hi Adriano,

I think you applied the set connection decrement under the wrong class map, let's try to do it with a new one and see if it works:

class-map TRACE
  match any

policy-map global_policy
  class TRACE
   set connection decrement-ttl

You also need to reapply the default class map under the global policy map:

policy-map global_policy
  class inspection_default

Regards,

Aref

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card