Solved: Hi, What is the device that

Kaushik Ray · ‎07-14-2014

Hello I am having a strange issue and would be grateful to have any insight as to why this is happening.

An ASA is configure for two remote devices as follows

object network obj-SV4(1:1)
host 172.16.2.24

object network obj-SV5(1:1)
host 172.16.2.25

object network obj-SV4(1:1)
nat (inside,outside) static xxx.xxx.xxx.183

object network obj-SV5(1:1)
nat (inside,outside) static xxx.xxx.xxx.184

ASA# ping 172.16.2.24
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.24, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/18/20 ms
ASA# ping 172.16.2.25
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.25, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

When i trace to both the devices:

trace 172.16.2.25

Type escape sequence to abort.
Tracing the route to 172.16.2.25

1 172.28.213.202 0 msec 0 msec 0 msec
2 172.28.209.109 20 msec 20 msec 10 msec
3 * * *
4 * * *

trace 172.16.2.24

Type escape sequence to abort.
Tracing the route to 172.16.2.24

1 172.28.213.202 0 msec 0 msec 0 msec
2 172.28.209.109 20 msec 10 msec 20 msec
3 172.28.209.110 20 msec 10 msec 20 msec
4 172.16.2.24 20 msec 20 msec 10 msec

when i am on the .109 device it has the route for the whole subnet and i can reach the .24 and .25 both from it.

RTR#sh ip int brief | include .109
GigabitEthernet0/1.131 172.28.209.109 YES manual up up

ping vrf server 172.16.2.24

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.24, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
ping vrf server 172.16.2.25

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.25, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

the route is

ip route vrf server 172.16.2.0 255.255.255.0 172.28.209.110 name SERVERS

Any advise will be much appreciated.

Jouni Forss · ‎07-14-2014

Hi,

What is the device that has the IP address 172.28.209.110? Does it or any of the other devices on the way to the ASA have any type of ACL or anything else that could block traffic?

Can you see any connection on the ASA (or any logs gathered from the ASA) from the host 172.16.2.25?

Is there some TCP ports listening on the server that should answer to connection attempts? You could try TCP Ping from the ASA to those ports

ping tcp 172.16.2.25 <destination port>

You can also give a "source" address in the above command if you need. In the event that you are running ASA software below 8.4(1) then the above "ping tcp" wont be supported.

- Jouni

View solution in original post

Jouni Forss · ‎07-14-2014

Hi,

What is the device that has the IP address 172.28.209.110? Does it or any of the other devices on the way to the ASA have any type of ACL or anything else that could block traffic?

Can you see any connection on the ASA (or any logs gathered from the ASA) from the host 172.16.2.25?

Is there some TCP ports listening on the server that should answer to connection attempts? You could try TCP Ping from the ASA to those ports

ping tcp 172.16.2.25 <destination port>

You can also give a "source" address in the above command if you need. In the event that you are running ASA software below 8.4(1) then the above "ping tcp" wont be supported.

- Jouni

Kaushik Ray · ‎07-15-2014

Thanks it was an ACL on the .110 device which was blocking .25 server!

.110 was a router

Cannot reach remote device.