Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

tracert's through asa fw's respond with icmp timeouts

Does anyone know how to setup the asa's to not respond with icmp timeouts when a windows machine runs tracerts through them? The hops through the asa always respond with timeouts (hop 2 and 3 in this case).

Example:

C:\>tracert -d 209.167.231.15

Tracing route to 209.167.231.15 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 10.1.1.1

2 * * * Request timed out.

3 * * * Request timed out.

4 80 ms 32 ms 27 ms 63.151.20.2

Thanks

2 REPLIES
Bronze

Re: tracert's through asa fw's respond with icmp timeouts

When you ping to a non existant address then the router that receives the ping request and realizes that the destination address is not reachable will generate an ICMP unreachable error message and send it to the originator of the ping. However Cisco Device rate limit their ping responses (as a mechanism to help protect against Denial of Service attacks against the router). The router is receiving 5 requests which can not be forwarded and sends the ICMP error to 3. The other 2 are rate limited.

New Member

Re: tracert's through asa fw's respond with icmp timeouts

Thanks for the response. Understandably, pings and trace routes both use icmp, and the case of my trace attempts, I am tracing with icmp to an existent ip address, and receive timeouts when reaching the asa/fwsm hop.

This is not the case with our Juniper ISP firewalls and traces to existing/legimate ip addresses do not time out when the hop count reaches the ASA/FWSM's.

What configuration changes can be made to the ASA/FWSM's to prevent icmp's for the trace from timing out when traversing the ASA/FWSM's?

Thanks

201
Views
0
Helpful
2
Replies
CreatePlease to create content