Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA to ASA Site2Site Traceroute

Hey folks,

We are converting our offices from MPLS to VPN Site2Site tunnels.

the tunnels are all operating properly with all traffic going in both directions.

Our issue is with Traceroute between sites.

On MPLS, everything replies during a traceroute. Between the ASA devices, I can get the "internal" one (local to the site) to respond, but not the "external" one (at the far end)

I have added the following according to what I can find on the internet about this issue:

 

access-list outside_access_in extended permit icmp any any time-exceeded

access-list outside_access_in remark ICMP type 3 for Cisco and Linux

access-list outside_access_in extended permit icmp any any unreachable

access-group outside_access_in in interface outside

then:

policy-map global_policy

class class-default

set connection decrement-ttl

and:

icmp unreachable rate-limit 10 burst-size 5

 

The issue I end up with is that the remote ASA doesn't show up in the list

See this trace:

tracert 192.168.26.11

  1    <1 ms    <1 ms    <1 ms  mwspcoresw1.mycompany.com [192.168.3.251]
  2    <1 ms    <1 ms    <1 ms  router.mycompany.com [192.168.3.253]
  3    <1 ms    <1 ms    <1 ms  asa_inside.mycompany.com [172.16.100.2]
  4     *        *        *     Request timed out.
  5    84 ms    86 ms    83 ms  192.168.26.11

 

I'm assuming the request timed out is the remote end ASA.

it happens exactly the same way from either site

any ideas?

2 REPLIES
Bronze

Hi Idress, The problem is the

Hi Idress,

 

The problem is the ASA doesn't behave exactly like a router when it comes to traceroute, because it doesn't decrement the icmp ttl, it therefore doesn't trigger an icmp-time exceeded.

 

Under the global policy, you need to enter the following command

 

class class-default

  set connection decrement-ttl

 

Very best wishes

 

Mike

New Member

set connection decrement-ttl

set connection decrement-ttl is part of my config.

the local ASA responds, just not the remote one.

it happens in both directions.  from NJ to remote, or remote to NJ. the "local" asa responds, but not the remote one.

 1     1 ms    <1 ms    <1 ms  nj_coresw [192.168.3.251]
 2    <1 ms    <1 ms    <1 ms  nj_router [192.168.3.253]
 3    <1 ms    <1 ms    <1 ms  nj_asa_inside [172.16.100.2]
 4     *        *        *     Request timed out. <--I assume the is the remote ASA
 5   143 ms   139 ms   139 ms  192.168.25.11 <-- this is what I was trying to trace to.

 

 

49
Views
0
Helpful
2
Replies
CreatePlease login to create content