cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
474
Views
0
Helpful
3
Replies

ASA5505 do not allow ping to connected vlan

catalystexpress
Level 1
Level 1

Hi All,

We have a ASA5505 which does not allow ping to connected vlans

PCA -- CRSW -- ASA5510  -----------VPN----------- ASA5505  -- SW -- Users (PCX)

ASA5505

Data Vlan - 10.9.2.253

XX Vlan - 10.9.3.253

SW -- 10.9.2.1

PCX - 10.9.2.10

PCA can ping 10.9.2.253, but can not ping 10.9.2.1 and 10.9.2.10, below is the packet tracer which says host-limit block

can i get any suggestions please, many thanks for the support

cheers..

BJ-FW01# packet-tracer input daTA-VLAN icmp 10.9.2.1 8 0 10.3.1.5 detailed

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xca126b60, priority=1, domain=permit, deny=false

        hits=425, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0100.0000.0000

        input_ifc=DATA-VLAN, output_ifc=any

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         OUTSIDE

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group ACL_DATA-VLAN in interface DATA-VLAN

access-list ACL_DATA-VLAN extended permit icmp any any echo

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xca16fa70, priority=13, domain=permit, deny=false

        hits=35, user_data=0xc82824b0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=8

        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0

        input_ifc=DATA-VLAN, output_ifc=any

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xca12a9c8, priority=0, domain=inspect-ip-options, deny=true

        hits=235, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=DATA-VLAN, output_ifc=any

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xca12a5b0, priority=66, domain=inspect-icmp-error, deny=false

        hits=40, user_data=0xca129bc8, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0

        input_ifc=DATA-VLAN, output_ifc=any

Phase: 6

Type: HOST-LIMIT

Subtype:

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xc72790a0, priority=0, domain=host-limit, deny=false

        hits=221, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=DATA-VLAN, output_ifc=any

Result:

input-interface: DATA-VLAN

input-status: up

input-line-status: up

output-interface: OUTSIDE

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

1 Accepted Solution

Accepted Solutions

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Sr,

This basically means that you are reaching the host count limit,

If you do a show version you will see the amount of hosts that could use the ASA,

Do a show local-host and compare the outputs to see ifyou are indeed reaching the limit

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Sr,

This basically means that you are reaching the host count limit,

If you do a show version you will see the amount of hosts that could use the ASA,

Do a show local-host and compare the outputs to see ifyou are indeed reaching the limit

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

many thanks for the quick reply, we got it fixed as you mentioned the log show license host limit exc.. 0  on further check we learned the version 8.4(6) had this issue we downgraded to 8.4(5) and that fixed the issue

thanks  again

cheers.

Hello,

Exactly, there is a bug related to that (that's why I wanted the show version),

Please mark the question as answered

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: