01-08-2014 08:08 PM - edited 03-11-2019 08:27 PM
Hi Everyone,
Working with Home lab setup and ping from ASA works on and off.
ASA is connected to Router.
ASA1# ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/86/90 ms
ASA1# ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ASA1#
Config of ASA
ASA1# sh run
: Saved
:
ASA Version 8.2(5)
!
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
description Connection to Outside - 1811w
switchport access vlan 2
!
interface Ethernet0/1
description Connection to Inside
!
interface Ethernet0/2
description Connection to Sales
switchport access vlan 3
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.171 255.255.255.0
!
interface Vlan3
nameif sales
security-level 50
ip address 10.12.12.1 255.255.255.0
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 64.59.144.19
access-list Sales-web-acl webtype deny url http://10.0.0.[8-9]/* log informational interval 300
access-list Sales-web-acl webtype permit url any log informational interval 300
pager lines 24
mtu inside 1500
mtu outside 1500
mtu sales 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.1.172 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.255.255 outside
ssh 192.168.0.0 255.255.0.0 outside
ssh timeout 60
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy Sales-Group internal
group-policy Sales-Group attributes
banner value Welcome to Sales .The Sales group policy is applied.
webvpn
filter value Sales-web-acl
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:3fb54628b48b1fa0a538af3ae331563e
Regards
MAhesh
01-08-2014 10:30 PM
hi mahesh,
could you post show log from ASA and show run from 1811w router?
make sure there's no loose cabling and no duplicate IPs.
01-09-2014 04:27 AM
Hi,
Here is config from 1811w.
There are no duplicate IPs.
Cables are plugged ok.
1811w#sh run
Building configuration...
Current configuration : 6087 bytes
!
! Last configuration change at 18:47:37 MST Wed Jan 8 2014
! NVRAM config last updated at 18:47:39 MST Wed Jan 8 2014
!
version 12.4
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname 1811w
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 4096 informational
enable secret 5 $1$V64B$SLV8.k.cAywBlMhT2ECZX.
!
aaa new-model
!
!
aaa authentication login MP none
!
!
aaa session-id common
clock timezone MST -7
clock summer-time MST recurring
!
crypto pki trustpoint TP-self-signed-1356976622
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1356976622
revocation-check none
rsakeypair TP-self-signed-1356976622
!
!
crypto pki certificate chain TP-self-signed-1356976622
certificate self-signed 01
3082023D 308201A6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31333536 39373636 3232301E 170D3133 30393230 30353035
33395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 33353639
37363632 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BC72 C360794B DF54C0D2 BC93C62A E99B9CFC BD30236D 4521AA9F ECD64C1E
C8B5718E 8B3075A8 26DEBBA0 DCC8DC4C E31F4F40 C75411AD 668A862C 11C36B1E
B49D34C3 18880198 F641FA2A 11DEA434 B767CC53 1B4BD63F 3456942F DAF6EEC9
549FF774 675D5777 524A770D D92A41C6 541962C2 C86430D6 9582FA49 6EFF5EAF
5BAD0203 010001A3 65306330 0F060355 1D130101 FF040530 030101FF 30100603
551D1104 09300782 05313831 3177301F 0603551D 23041830 16801496 11D82322
7EE18A60 8265F9E4 25DEEA84 3BE4CD30 1D060355 1D0E0416 04149611 D823227E
E18A6082 65F9E425 DEEA843B E4CD300D 06092A86 4886F70D 01010405 00038181
005C4B86 41CBE4B1 C08BE318 790188B6 B4ACB6BB 9CD843D4 5C5811FA DA0AC305
F134B8CB 4D73E1D5 A7947A3C 267B9A19 69863953 50AEA43D A0A80175 79D0132A
ED37F376 C613DC37 BACBB618 E97713AA B0FA00B7 9E80E218 D061CB29 4C9FB413
18778381 A9F541C6 8E42D9B4 CACE6D53 7D3A952C 2B965EAD CDA789C6 152EDAA5 CD
quit
dot11 syslog
!
dot11 ssid ACDinternet
vlan 98
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 0715205D1F5B0E160F
!
ip source-route
!
!
ip dhcp excluded-address 192.168.98.1
ip dhcp excluded-address 192.168.99.1
ip dhcp excluded-address 192.168.99.2
!
ip dhcp pool WIRELESS
import all
network 192.168.98.0 255.255.255.0
default-router 192.168.98.1
dns-server 64.59.144.19
lease 3
!
ip dhcp pool vlan1
import all
network 192.168.97.0 255.255.255.0
default-router 192.168.97.1
dns-server 64.59.144.19
lease 0 0 1
!
!
ip cef
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
object-group network inside
host 74.125.224.176
host 74.125.224.179
!
vtp mode transparent
!
!
crypto isakmp policy 50
encr aes
authentication pre-share
group 2
crypto isakmp key cisco address 192.168.99.2 no-xauth
!
!
crypto ipsec transform-set DEMO esp-des esp-sha-hmac
!
crypto map VPN_MAP 10 ipsec-isakmp
set peer 192.168.99.2
set transform-set DEMO
match address INTERESTING_TRAFFIC
!
archive
log config
hidekeys
!
!
vlan 98
!
bridge irb
!
!
!
interface Dot11Radio0
no ip address
!
encryption vlan 98 mode ciphers tkip
!
ssid ACDinternet
!
countermeasure tkip hold-time 0
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio0.1
!
interface Dot11Radio0.98
encapsulation dot1Q 98 native
no cdp enable
bridge-group 98
bridge-group 98 subscriber-loop-control
bridge-group 98 spanning-disabled
bridge-group 98 block-unknown-source
no bridge-group 98 source-learning
no bridge-group 98 unicast-flooding
!
interface Dot11Radio1
no ip address
shutdown
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
!
interface FastEthernet0
description IPSEC OSPF TO 3550A Interface Fas 0/8
ip address 192.168.99.1 255.255.255.0
ip access-group 111 in
ip virtual-reassembly
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 104D000A0618
duplex auto
speed auto
crypto map VPN_MAP
!
interface FastEthernet1
ip address 192.168.1.172 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
switchport access vlan 98
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
description Wired connections
ip address 192.168.97.1 255.255.255.0
!
interface Vlan98
no ip address
bridge-group 98
bridge-group 98 spanning-disabled
!
interface Async1
no ip address
encapsulation slip
!
interface BVI98
ip address 192.168.98.1 255.255.255.0
ip virtual-reassembly
ip tcp adjust-mss 1452
!
router ospf 1
log-adjacency-changes
network 192.168.1.0 0.0.0.255 area 0
network 192.168.97.0 0.0.0.255 area 0
network 192.168.98.0 0.0.0.255 area 0
network 192.168.99.0 0.0.0.255 area 0
!
no ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
!
ip access-list extended INTERESTING_TRAFFIC
permit ip 192.168.0.0 0.0.255.255 192.168.99.0 0.0.0.255 log
!
access-list 111 permit tcp host 192.168.98.2 any log
access-list 111 permit ip any any
access-list 111 deny tcp host 192.168.98.2 any log
!
!
!
!
!
!
control-plane
!
bridge 98 protocol ieee
bridge 98 route ip
!
line con 0
privilege level 15
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
exec-timeout 900 0
privilege level 15
login authentication MP
line vty 5 15
exec-timeout 900 0
privilege level 15
login authentication MP
!
ntp logging
ntp server 192.168.99.2
end
here is sh log from ASA
%ASA-6-302020: Built outbound ICMP connection for faddr 4.2.2.2/0 gaddr 192.168.1.171/42296 laddr 192.168.1.171/42296
%ASA-5-111008: User 'enable_15' executed the 'ping 4.2.2.2' command.
%ASA-6-302021: Teardown ICMP connection for faddr 4.2.2.2/0 gaddr 192.168.1.171/42296 laddr 192.168.1.171/42296
%ASA-6-302020: Built outbound ICMP connection for faddr 4.2.2.2/0 gaddr 192.168.1.171/40815 laddr 192.168.1.171/40815
%ASA-5-111008: User 'enable_15' executed the 'ping 4.2.2.2' command.
%ASA-6-302021: Teardown ICMP connection for faddr 4.2.2.2/0 gaddr 192.168.1.171/40815 laddr 192.168.1.171/40815
ASA1#
01-09-2014 06:59 AM
Hi Mahesh,
When the issue happens, are you able to ping the next hop ip address which is 192.168.1.172?
- Prateek Verma
01-09-2014 11:35 AM
Hi Prateek,
Yes i am able to ping all the hops without any issue
Regards
Mahesh
01-09-2014 11:39 AM
Hi,
Then I would say the reply is not getting blocked at ASA, could you check the arp table entry on the next router or try the same test from the router.
- Prateek Verma
01-09-2014 02:54 PM
Agree With Prateek, This might be an arp issue. My hunch is Arp collision or may be some issue with Upsteram router. Please check arp and captures.
Dinkar
01-09-2014 09:45 PM
Hi,
I agree the upsteam routers have also ping on and off.
sh arp does not show IP of 4.2.2.2.
Regards
Mahesh
01-10-2014 05:09 AM
Hi ,
At the time of the issue do you see any arp entry on the interface of router which is connected to ISP?
- Prateek Verma
01-10-2014 05:26 AM
Hi,
I can ping fine from Router connected to ISP.
Only Lan Routers have issue while ping to 4.2.2.2
ISP connected router
2691Router#ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 76/82/88 ms
2691Router#ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/84/88 ms
sh arp from ISP router
2691Router#sh ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 70.x.x.x - 000d.bd3f.6d20 ARPA FastEthernet0/0
Internet 70.x.x.x 0 0011.20a8.04a7 ARPA FastEthernet0/0
Internet 192.168.6.2 107 0009.e8a2.0080 ARPA FastEthernet1/0
Internet 192.168.7.3 - 000d.bd3f.6d32 ARPA FastEthernet1/1
Internet 192.168.7.2 72 0009.e8a2.0080 ARPA FastEthernet1/1
Internet 192.168.6.3 - 000d.bd3f.6d31 ARPA FastEthernet1/0
Internet 192.168.5.3 - 000d.bd3f.6d21 ARPA FastEthernet0/1
Internet 192.168.5.2 95 000d.28bc.fd80 ARPA FastEthernet0/1
where int fa0/0 connects to ISP.
Regards
MAahesh
01-10-2014 05:38 AM
Hi,
Could you send the debug arp from the LAN router at the time of the issue?
- Prateek Verma
01-10-2014 05:43 AM
Hi Prateek,
Debug arp does not show any output.
Any other command i can try?
Regards
MAhesh
01-10-2014 06:00 AM
Hi Mahesh,
The "show arp " output you send is from the ISP router , could you send it fomr the LAN router where the issue is happening, please provide me with the interface connected to next hop and next hop ip as well.
- Prateek Verma
01-10-2014 06:13 AM
Hi Pradeep,
Sh arp which i sent you earlier was from router which connects to ISP.
Here is sh arp from router which has connection to ASA
1811w#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.1.171 27 b0fa.eba2.cbcb ARPA FastEthernet1
Internet 192.168.1.172 - 001b.543a.6e3b ARPA FastEthernet1
Internet 192.168.97.1 - 001b.543a.6e3a ARPA Vlan1
Internet 192.168.98.1 - 001b.5448.5390 ARPA BVI98
Internet 192.168.98.2 0 74e5.0b5b.e788 ARPA BVI98
Internet 192.168.98.10 0 Incomplete ARPA
Internet 192.168.98.16 114 a00b.bacf.37a5 ARPA BVI98
Internet 192.168.98.21 6 40fc.894e.c48c ARPA BVI98
Internet 192.168.99.1 - 001b.543a.6e3a ARPA FastEthernet0
Internet 192.168.99.2 32 000d.28bc.fd80 ARPA FastEthernet0
1811w# sh run int fa0
Building configuration...
Current configuration : 301 bytes
!
interface FastEthernet0
description IPSEC OSPF TO 3550A Interface Fas 0/8
ip address 192.168.99.1 255.255.255.0
ip access-group 111 in
ip virtual-reassembly
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 104D000A0618
duplex auto
speed auto
crypto map VPN_MAP
end
int fa0/0 connects to next hop
Next hop
R2_3550SMIA#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.99.2 - 000d.28bc.fd80 ARPA FastEthernet0/8
Internet 192.168.99.1 34 001b.543a.6e3a ARPA FastEthernet0/8
Internet 192.168.10.2 34 0009.e8a2.0080 ARPA Vlan10
Internet 192.168.10.3 - 0000.0c07.ac01 ARPA Vlan10
Internet 192.168.10.1 - 000d.28bc.fd80 ARPA Vlan10
Internet 192.168.5.3 34 000d.bd3f.6d21 ARPA FastEthernet0/11
Internet 192.168.5.2 - 000d.28bc.fd80 ARPA FastEthernet0/11
Internet 192.168.30.3 - 0000.0c07.ac02 ARPA Vlan30
Internet 192.168.30.1 - 000d.28bc.fd80 ARPA Vlan30
Internet 192.168.20.1 - 000d.28bc.fd80 ARPA Vlan20
Internet 192.168.20.2 34 0009.e8a2.0080 ARPA Vlan20
Internet 192.168.20.3 - 0000.0c07.ac01 ARPA Vlan20
R2_3550SMIA#sh run int fa0/11
Building configuration...
Current configuration : 272 bytes
!
interface FastEthernet0/11
description OSPF LAN Connection to 2691 Router Interface Fas 0/1
no switchport
ip address 192.168.5.2 255.255.255.254
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 111D0A0D181D1F
ip ospf hello-interval 40
end
NExt hop
2691Router#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 70.x.x.x - 000d.bd3f.6d20 ARPA FastEthernet0/0
Internet 70.x.x.x 0 0011.20a8.04a7 ARPA FastEthernet0/0
Internet 192.168.6.2 155 0009.e8a2.0080 ARPA FastEthernet1/0
Internet 192.168.7.3 - 000d.bd3f.6d32 ARPA FastEthernet1/1
Internet 192.168.7.2 120 0009.e8a2.0080 ARPA FastEthernet1/1
Internet 192.168.6.3 - 000d.bd3f.6d31 ARPA FastEthernet1/0
Internet 192.168.5.3 - 000d.bd3f.6d21 ARPA FastEthernet0/1
Internet 192.168.5.2 35 000d.28bc.fd80 ARPA FastEthernet0/1
2691Router# sh run int fa0/0
Building configuration...
Current configuration : 242 bytes
!
interface FastEthernet0/0
description WAN Connection to ISP modem
ip address dhcp
ip access-group DENY in
no ip redirects
no ip unreachables
ip nat outside
ip inspect REMEMBER out
ip virtual-reassembly
duplex auto
speed auto
end
2691Router#
Anything else i can send you by end of day as going to office now.
Thanks for help
Regards
Mahesh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: