cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
937
Views
0
Helpful
16
Replies

from asa not able to ping ISP edge router(hence not able to use ip SLA)

Sipl_24034
Level 1
Level 1

AS we are using firewall .our link is up and working fine  but we  are not able to ping aur edge router beacause of that we are not able to use IP sla. basicly ip sla use icmp to ping  edge router 

kindly help regarding same

16 Replies 16

saif musa
Level 4
Level 4

How did you know that your edge router is ???

10.227.79.129 

Akshay Rastogi
Cisco Employee
Cisco Employee

Hi there,

From the configuration, i could see that next of the ASA is 10.153.66.2 and 10.153.67.2. Please check if icmp is allowed on your edge router 10.227.79.129. Also check if it is reachable from your next hop 10.153.66.2 ISP.

there is no icmp permit or deny configured on ASA that means it is allowed bydefault. So no issue.

Regards,

Akshay Rastogi

Akshay,

First, chick if you can ping you next hop router from inside your ASA. If so, then you can use it (( 10.153.67.2 )) for sla monitoring perpouses.

Regards

Hi Saif,

I guess, he has mentioned that the link is up and working fine. I believe the traffic is fine but icmp might not be allowed on the edge router. That is why i had mentioned that check from the next hop(which is ISP) to check if from there he is able to ping or not. :)

Regards,

Akshay Rastogi

Dear Akshay,

Thanks for quick responce ..

As i observed  i can able to ping my  edge router from 10.153.66.2 .even i can able to ping edge router from my lan .

problem is that i am not able to ping router from asa ..

Hi,

Please share the output of 'show run icmp'. Please add the below command and check of it works:

icmp permit 10.227.79.129 255.255.255.255 <outside-interface-nameif>

Regards,

Akshay Rastogi

dear Akshay ,

as you said i given icmp permit command.but i found after this commdn even i cant ping my router 10.153.66.2

icmp command output

sh run icmp

icmp unreachable rate-limit 1 burst-size 1
icmp permit host 10.227.79.129 outside1

Hi,

Please remove this command. I advised to place it keeping in mind that there might be some other statements are alredy added. 

Please place captures on Outside interface :

'cap capi interface outside match icmp any any'

'cap drop type asp-drop all'

After adding this, start pings from ASA to your edge routers and then take the output of 'cap capi detail' and 'cap drop detail | in icmp'

Regards,

Akshay Rastogi

Dear Akshay ,

i have given both command but not recived any responce for

cap drop detail | in icmp

Hi,

From the output of the commands suggested by Akshay, I looks like that ICMP is being sent by the ASA but there is no reply to it.

Now to troubleshoot further you can try following:

>> As per your configuration, the next hop for all the traffic via outside1 is 10.153.66.2. Check if the next hop device has proper configuration to forward ICMP packet to 10.22.79.129.

>> The show cap capi details shows that the icmp request is forwarded to device with MAC c08c.c59f.8d51. Check if this is the correct device to which traffic should be forwarded. You can run show arp on ASA and check the MAC-IP mapping for this hardware.

>> Check if the device with 10.22.79.129 has correct reverse route for the traffic being generated by 10.153.66.1.

On ASA there is no return traffic recieved so i would suggest you to check the intermediate devices between ASA and the edge router for correct routing and access policies to permit this traffic.

Do share your findings.

Thanks,

R.S.

on router provided route for lan with next hop 10.153.66.1

and i can ping 10.227.79.129 from my lan as well as router only thing is that not able to ping this ip from ASA.

Is there any reverse route on edge router for 10.153.66.0/30 subnet for replies to ASA ?

Thanks,

Rishabh Seth

Dear Rishab,

10.153.66.0 Nettwork advertise  by relince @there and

still i tried to advertised 10.153.66.0 on my router still same problem persist .

Hi,

Please configure static route on Router for destination as ASA outside interface. Advertising 66.x network would enble next hops to have that network. However it does not ensure that your edge router is having reverse route for ASA outside interface.

Please add the route on Edge router for destination IP as ASA outside interface.

Regards,

Akshay Rastogi

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: