07-26-2013 09:37 PM - edited 03-11-2019 07:17 PM
Hi All,
We have a ASA5505 which does not allow ping to connected vlans
PCA -- CRSW -- ASA5510 -----------VPN----------- ASA5505 -- SW -- Users (PCX)
ASA5505
Data Vlan - 10.9.2.253
XX Vlan - 10.9.3.253
SW -- 10.9.2.1
PCX - 10.9.2.10
PCA can ping 10.9.2.253, but can not ping 10.9.2.1 and 10.9.2.10, below is the packet tracer which says host-limit block
can i get any suggestions please, many thanks for the support
cheers..
BJ-FW01# packet-tracer input daTA-VLAN icmp 10.9.2.1 8 0 10.3.1.5 detailed
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xca126b60, priority=1, domain=permit, deny=false
hits=425, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=DATA-VLAN, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 OUTSIDE
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group ACL_DATA-VLAN in interface DATA-VLAN
access-list ACL_DATA-VLAN extended permit icmp any any echo
Additional Information:
Forward Flow based lookup yields rule:
in id=0xca16fa70, priority=13, domain=permit, deny=false
hits=35, user_data=0xc82824b0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=8
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0
input_ifc=DATA-VLAN, output_ifc=any
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xca12a9c8, priority=0, domain=inspect-ip-options, deny=true
hits=235, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=DATA-VLAN, output_ifc=any
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xca12a5b0, priority=66, domain=inspect-icmp-error, deny=false
hits=40, user_data=0xca129bc8, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0
input_ifc=DATA-VLAN, output_ifc=any
Phase: 6
Type: HOST-LIMIT
Subtype:
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc72790a0, priority=0, domain=host-limit, deny=false
hits=221, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=DATA-VLAN, output_ifc=any
Result:
input-interface: DATA-VLAN
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Solved! Go to Solution.
07-26-2013 10:13 PM
Hello Sr,
This basically means that you are reaching the host count limit,
If you do a show version you will see the amount of hosts that could use the ASA,
Do a show local-host and compare the outputs to see ifyou are indeed reaching the limit
For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/
Cheers,
Julio Carvajal Segura
07-26-2013 10:13 PM
Hello Sr,
This basically means that you are reaching the host count limit,
If you do a show version you will see the amount of hosts that could use the ASA,
Do a show local-host and compare the outputs to see ifyou are indeed reaching the limit
For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/
Cheers,
Julio Carvajal Segura
07-27-2013 01:36 AM
many thanks for the quick reply, we got it fixed as you mentioned the log show license host limit exc.. 0 on further check we learned the version 8.4(6) had this issue we downgraded to 8.4(5) and that fixed the issue
thanks again
cheers.
07-27-2013 12:36 PM
Hello,
Exactly, there is a bug related to that (that's why I wanted the show version),
Please mark the question as answered
For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/
Cheers,
Julio Carvajal Segura
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: