Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA to ASA Site2Site Traceroute

Hey folks,

We are converting our offices from MPLS to VPN Site2Site tunnels.

the tunnels are all operating properly with all traffic going in both directions.

Our issue is with Traceroute between sites.

On MPLS, everything replies during a traceroute. Between the ASA devices, I can get the "internal" one (local to the site) to respond, but not the "external" one (at the far end)

I have added the following according to what I can find on the internet about this issue:


access-list outside_access_in extended permit icmp any any time-exceeded

access-list outside_access_in remark ICMP type 3 for Cisco and Linux

access-list outside_access_in extended permit icmp any any unreachable

access-group outside_access_in in interface outside


policy-map global_policy

class class-default

set connection decrement-ttl


icmp unreachable rate-limit 10 burst-size 5


The issue I end up with is that the remote ASA doesn't show up in the list

See this trace:


  1    <1 ms    <1 ms    <1 ms []
  2    <1 ms    <1 ms    <1 ms []
  3    <1 ms    <1 ms    <1 ms []
  4     *        *        *     Request timed out.
  5    84 ms    86 ms    83 ms


I'm assuming the request timed out is the remote end ASA.

it happens exactly the same way from either site

any ideas?


Hi Idress, The problem is the

Hi Idress,


The problem is the ASA doesn't behave exactly like a router when it comes to traceroute, because it doesn't decrement the icmp ttl, it therefore doesn't trigger an icmp-time exceeded.


Under the global policy, you need to enter the following command


class class-default

  set connection decrement-ttl


Very best wishes



New Member

set connection decrement-ttl

set connection decrement-ttl is part of my config.

the local ASA responds, just not the remote one.

it happens in both directions.  from NJ to remote, or remote to NJ. the "local" asa responds, but not the remote one.

 1     1 ms    <1 ms    <1 ms  nj_coresw []
 2    <1 ms    <1 ms    <1 ms  nj_router []
 3    <1 ms    <1 ms    <1 ms  nj_asa_inside []
 4     *        *        *     Request timed out. <--I assume the is the remote ASA
 5   143 ms   139 ms   139 ms <-- this is what I was trying to trace to.



CreatePlease login to create content