topic traceroute and mtr do not work with ASA 5525 in Network Security

traceroute and mtr do not work with ASA 5525

Stephen Carville — Fri, 21 Feb 2020 12:57:30 GMT

We recently upgraded an ASA 5520 to an ASA 5525 and some of my diagnostic tools no longer work as expected. One example is MTR -- which I use a lot for diagnosis. For example, if I mtr to 12.27.224.24 from an internal machine I get:

mtr -r -c 10 -n 12.27.224.24

Loss% Last Avg Best Wrst StDev

10.212.209.1 0.0% 0.3 0.3 0.2 0.4 0.0

12.27.224.24 0.0% 0.6 0.5 0.5 0.6 0.0

However, if I send the same request out through an interface that bypasses the firewall I get:

sudo mtr -r -c 10 -n --address 198.204.115.86 12.27.224.24

Loss% Last Avg Best Wrst StDev

198.204.115.1 0.0% 0.3 0.4 0.2 1.6 0.4

209.234.172.13 0.0% 0.9 1.1 0.8 2.3 0.5

64.129.238.182 0.0% 1.8 11.7 1.8 51.1 20.2

12.91.226.9 0.0% 47.2 12.1 2.1 56.8 21.1

12.122.104.70 0.0% 3.1 4.6 2.5 6.3 1.3

12.123.30.249 0.0% 32.8 9.3 3.7 32.8 8.6

12.122.129.221 0.0% 5.4 3.4 2.4 6.9 1.6

12.249.74.142 0.0% 3.9 6.1 3.9 13.4 3.8

??? 100.0 0.0 0.0 0.0 0.0 0.0

Which is what I expected (The destination will not accept traffic from 198.204.115.86 so the last hop is always a 100% loss)

It worked before and the vendor claims he migrated the configuration from the 5520 without making any significant changes. Is this something that can be fixed?

traceroute and mtr do not work with ASA 5525

Seb Rupik — Fri, 16 Aug 2013 11:44:18 GMT

Hi Stephen,

It looks like ICMP traffic is being dropped by your firewall.

You should add 'inspect icmp' to the inspection engine which will dynamically allow the icmp echo reply back through. You can find details on it's configuration here:

http://www.cisco.com/en/US/docs/security/asa/command-reference/i2.html#wp1760396

cheers,

Seb.

Re: traceroute and mtr do not work with ASA 5525

Stephen Carville — Fri, 16 Aug 2013 13:01:30 GMT

If only it were that simple. ICMP works fine.

If I use tshark on a remote machine then ping it from a local box I see (198.204.115.201 is the outgoing NAT address.):

0.000000 198.204.115.201 -> 216.117.215.8 ICMP Echo (ping) request

0.000049 216.117.215.8 -> 198.204.115.201 ICMP Echo (ping) reply

1.000066 198.204.115.201 -> 216.117.215.8 ICMP Echo (ping) request

1.000111 216.117.215.8 -> 198.204.115.201 ICMP Echo (ping) reply

If I repeat the above but use mtr on the local box, tshark reports:

Zip... Zilch... Nada... Nothing...

but tshark on the source machine reports:

Capturing on eth0

0.000000 10.212.209.51 -> 216.117.215.8 ICMP Echo (ping) request

0.000491 216.117.215.8 -> 10.212.209.51 ICMP Time-to-live exceeded (Time to live exceeded in transit)

0.501257 10.212.209.51 -> 216.117.215.8 ICMP Echo (ping) request

0.501447 10.212.209.1 -> 10.212.209.51 ICMP Time-to-live exceeded (Time to live exceeded in transit)

Exactly as expected -- for the first hop

Something in the 5525 configuration is stopping the icmp from mtr but not for ping. Maybe there is some "evil hacker tool" rule that was added -- dunno.

Re: traceroute and mtr do not work with ASA 5525

Stephen Carville — Tue, 20 Aug 2013 16:44:19 GMT

Got it!

policy-map global_policy

class inspection_default

inspect icmp error

It is always easy after you know the answer.