cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
362
Views
0
Helpful
3
Replies

Request timeout errors with successful tracerouts on asa firewalls

swharvey
Level 3
Level 3

We are running an asa5540 on 7.2(2)18 code and have an odd problem where internal WinXP or Linux devices, tracerouting to external addresses, are sucessful but receive three sets of request-timeouts occur through the hops of the firewall. Even more odd, is that traceroutes from the same internal host systems to a public external address two hops outside the firewall, trace find with no timeout errors. Regarding ACL's, the internal interface permits full ip access for the inside hosts, and on the outside interface, icmp filters are in place to permit needed functions (i.e. time-exceed, unreachable, echo-replies). Below are example traces fromt the internal WinXP system, one trace with the timeouts, and one trace 2 hops out that has no issues:

C:\>tracert -d 198.217.36.2

Tracing route to 198.217.36.2 over a maximum of 30 hops

1 <1 ms 1 ms <1 ms 10.1.7.2

2 * * * Request timed out.

3 * * * Request timed out.

4 * * * Request timed out.

5 <1 ms <1 ms <1 ms 206.161.58.49

6 1 ms <1 ms <1 ms 66.192.250.136

7 3 ms 2 ms 2 ms 66.192.250.17

8 3 ms 3 ms 2 ms 66.192.251.27

9 2 ms 2 ms 2 ms 66.192.252.6

10 3 ms 4 ms 3 ms 151.164.191.9

11 7 ms 7 ms 7 ms 198.217.36.2

C:\>tracert -d 216.150.151.50

Tracing route to 216.150.151.50 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 10.1.7.2

2 2 ms 1 ms 5 ms 216.150.126.68

3 <1 ms <1 ms <1 ms 216.150.127.50

Trace complete.

Any advice on this issue would be appreciated.

Thanks,

-Scott

3 Replies 3

justincohen
Level 1
Level 1

Did you ever resolve this? I am having a similar problem.

ajagadee
Cisco Employee
Cisco Employee

Scott,

Can you enable "inspect icmp error" and try tracerouting again and see if the problem still exists.

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i2_72.html#wp1669676

Regards,

Arul

*Pls rate if it helps*

In my case this is on a 2811 not an ASA but same problem.

Upon enabling debug ip icmp I get the following when I try to do a traceroute...

Protocol [ip]:

Target IP address: 10.5.1.15

Source address: 192.168.2.1

Numeric display [n]:

Timeout in seconds [3]:

Probe count [3]:

Minimum Time to Live [1]:

Maximum Time to Live [30]:

Port Number [33434]:

Loose, Strict, Record, Timestamp, Verbose[none]: v

Loose, Strict, Record, Timestamp, Verbose[V]:

Type escape sequence to abort.

Tracing the route to 10.5.1.15

1 * * *

2 10.5.1.15 48 msec 80 msec 48 msec

Dec 1 05:05:06.631: ICMP: dst (192.168.2.1) port unreachable rcv from 10.5.1.15

Dec 1 05:05:06.727: ICMP: dst (192.168.2.1) port unreachable rcv from 10.5.1.15

Dec 1 05:05:06.779: ICMP: dst (192.168.2.1) port unreachable rcv from 10.5.1.15

(FYI, 192.168.2.1 is the 2811, and 10.5.1.15 is the device on the far side)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: