Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Request timeout errors with successful tracerouts on asa firewalls

We are running an asa5540 on 7.2(2)18 code and have an odd problem where internal WinXP or Linux devices, tracerouting to external addresses, are sucessful but receive three sets of request-timeouts occur through the hops of the firewall. Even more odd, is that traceroutes from the same internal host systems to a public external address two hops outside the firewall, trace find with no timeout errors. Regarding ACL's, the internal interface permits full ip access for the inside hosts, and on the outside interface, icmp filters are in place to permit needed functions (i.e. time-exceed, unreachable, echo-replies). Below are example traces fromt the internal WinXP system, one trace with the timeouts, and one trace 2 hops out that has no issues:

C:\>tracert -d 198.217.36.2

Tracing route to 198.217.36.2 over a maximum of 30 hops

1 <1 ms 1 ms <1 ms 10.1.7.2

2 * * * Request timed out.

3 * * * Request timed out.

4 * * * Request timed out.

5 <1 ms <1 ms <1 ms 206.161.58.49

6 1 ms <1 ms <1 ms 66.192.250.136

7 3 ms 2 ms 2 ms 66.192.250.17

8 3 ms 3 ms 2 ms 66.192.251.27

9 2 ms 2 ms 2 ms 66.192.252.6

10 3 ms 4 ms 3 ms 151.164.191.9

11 7 ms 7 ms 7 ms 198.217.36.2

C:\>tracert -d 216.150.151.50

Tracing route to 216.150.151.50 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 10.1.7.2

2 2 ms 1 ms 5 ms 216.150.126.68

3 <1 ms <1 ms <1 ms 216.150.127.50

Trace complete.

Any advice on this issue would be appreciated.

Thanks,

-Scott

3 REPLIES
New Member

Re: Request timeout errors with successful tracerouts on asa fir

Did you ever resolve this? I am having a similar problem.

Cisco Employee

Re: Request timeout errors with successful tracerouts on asa fir

Scott,

Can you enable "inspect icmp error" and try tracerouting again and see if the problem still exists.

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i2_72.html#wp1669676

Regards,

Arul

*Pls rate if it helps*

New Member

Re: Request timeout errors with successful tracerouts on asa fir

In my case this is on a 2811 not an ASA but same problem.

Upon enabling debug ip icmp I get the following when I try to do a traceroute...

Protocol [ip]:

Target IP address: 10.5.1.15

Source address: 192.168.2.1

Numeric display [n]:

Timeout in seconds [3]:

Probe count [3]:

Minimum Time to Live [1]:

Maximum Time to Live [30]:

Port Number [33434]:

Loose, Strict, Record, Timestamp, Verbose[none]: v

Loose, Strict, Record, Timestamp, Verbose[V]:

Type escape sequence to abort.

Tracing the route to 10.5.1.15

1 * * *

2 10.5.1.15 48 msec 80 msec 48 msec

Dec 1 05:05:06.631: ICMP: dst (192.168.2.1) port unreachable rcv from 10.5.1.15

Dec 1 05:05:06.727: ICMP: dst (192.168.2.1) port unreachable rcv from 10.5.1.15

Dec 1 05:05:06.779: ICMP: dst (192.168.2.1) port unreachable rcv from 10.5.1.15

(FYI, 192.168.2.1 is the 2811, and 10.5.1.15 is the device on the far side)

167
Views
0
Helpful
3
Replies
CreatePlease to create content