Ping from ASA to internet works on /off

mahesh18 · ‎01-08-2014

Hi Everyone,

Working with Home lab setup and ping from ASA works on and off.

ASA is connected to Router.

ASA1# ping 4.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 80/86/90 ms

ASA1# ping 4.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

ASA1#

Config of ASA

ASA1# sh run
: Saved
:
ASA Version 8.2(5)
!
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
description Connection to Outside - 1811w
switchport access vlan 2
!
interface Ethernet0/1
description Connection to Inside
!
interface Ethernet0/2
description Connection to Sales
switchport access vlan 3
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.171 255.255.255.0
!
interface Vlan3
nameif sales
security-level 50
ip address 10.12.12.1 255.255.255.0
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 64.59.144.19
access-list Sales-web-acl webtype deny url http://10.0.0.[8-9]/* log informational interval 300
access-list Sales-web-acl webtype permit url any log informational interval 300
pager lines 24
mtu inside 1500
mtu outside 1500
mtu sales 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.1.172 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.255.255 outside
ssh 192.168.0.0 255.255.0.0 outside
ssh timeout 60
ssh version 2
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy Sales-Group internal
group-policy Sales-Group attributes
banner value Welcome to Sales .The Sales group policy is applied.
webvpn
filter value Sales-web-acl
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:3fb54628b48b1fa0a538af3ae331563e

Regards

MAhesh

johnlloyd_13 · ‎01-08-2014

hi mahesh,

could you post show log from ASA and show run from 1811w router?

make sure there's no loose cabling and no duplicate IPs.

mahesh18 · ‎01-09-2014

Hi,

Here is config from 1811w.

There are no duplicate IPs.

Cables are plugged ok.

1811w#sh run
Building configuration...

Current configuration : 6087 bytes
!
! Last configuration change at 18:47:37 MST Wed Jan 8 2014
! NVRAM config last updated at 18:47:39 MST Wed Jan 8 2014
!
version 12.4
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname 1811w
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 4096 informational
enable secret 5 $1$V64B$SLV8.k.cAywBlMhT2ECZX.
!
aaa new-model
!
!
aaa authentication login MP none
!
!
aaa session-id common
clock timezone MST -7
clock summer-time MST recurring
!
crypto pki trustpoint TP-self-signed-1356976622
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1356976622
revocation-check none
rsakeypair TP-self-signed-1356976622
!
!
crypto pki certificate chain TP-self-signed-1356976622
certificate self-signed 01
3082023D 308201A6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31333536 39373636 3232301E 170D3133 30393230 30353035
33395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 33353639
37363632 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BC72 C360794B DF54C0D2 BC93C62A E99B9CFC BD30236D 4521AA9F ECD64C1E
C8B5718E 8B3075A8 26DEBBA0 DCC8DC4C E31F4F40 C75411AD 668A862C 11C36B1E
B49D34C3 18880198 F641FA2A 11DEA434 B767CC53 1B4BD63F 3456942F DAF6EEC9
549FF774 675D5777 524A770D D92A41C6 541962C2 C86430D6 9582FA49 6EFF5EAF
5BAD0203 010001A3 65306330 0F060355 1D130101 FF040530 030101FF 30100603
551D1104 09300782 05313831 3177301F 0603551D 23041830 16801496 11D82322
7EE18A60 8265F9E4 25DEEA84 3BE4CD30 1D060355 1D0E0416 04149611 D823227E
E18A6082 65F9E425 DEEA843B E4CD300D 06092A86 4886F70D 01010405 00038181
005C4B86 41CBE4B1 C08BE318 790188B6 B4ACB6BB 9CD843D4 5C5811FA DA0AC305
F134B8CB 4D73E1D5 A7947A3C 267B9A19 69863953 50AEA43D A0A80175 79D0132A
ED37F376 C613DC37 BACBB618 E97713AA B0FA00B7 9E80E218 D061CB29 4C9FB413
18778381 A9F541C6 8E42D9B4 CACE6D53 7D3A952C 2B965EAD CDA789C6 152EDAA5 CD
        quit
dot11 syslog
!
dot11 ssid ACDinternet
vlan 98
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 0715205D1F5B0E160F
!
ip source-route
!
!
ip dhcp excluded-address 192.168.98.1
ip dhcp excluded-address 192.168.99.1
ip dhcp excluded-address 192.168.99.2
!
ip dhcp pool WIRELESS
   import all
   network 192.168.98.0 255.255.255.0
   default-router 192.168.98.1
   dns-server 64.59.144.19
   lease 3
!
ip dhcp pool vlan1
   import all
   network 192.168.97.0 255.255.255.0
   default-router 192.168.97.1
   dns-server 64.59.144.19
   lease 0 0 1
!
!
ip cef
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
object-group network inside
host 74.125.224.176
host 74.125.224.179
!
vtp mode transparent

!
!
crypto isakmp policy 50
encr aes
authentication pre-share
group 2
crypto isakmp key cisco address 192.168.99.2 no-xauth
!
!
crypto ipsec transform-set DEMO esp-des esp-sha-hmac
!
crypto map VPN_MAP 10 ipsec-isakmp
set peer 192.168.99.2
set transform-set DEMO
match address INTERESTING_TRAFFIC
!
archive
log config
hidekeys
!
!
vlan 98
!
bridge irb
!
!
!
interface Dot11Radio0
no ip address
!
encryption vlan 98 mode ciphers tkip
!
ssid ACDinternet
!
countermeasure tkip hold-time 0
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio0.1
!
interface Dot11Radio0.98
encapsulation dot1Q 98 native
no cdp enable
bridge-group 98
bridge-group 98 subscriber-loop-control
bridge-group 98 spanning-disabled
bridge-group 98 block-unknown-source
no bridge-group 98 source-learning
no bridge-group 98 unicast-flooding
!
interface Dot11Radio1
no ip address
shutdown
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
!
interface FastEthernet0
description IPSEC OSPF TO 3550A Interface Fas 0/8
ip address 192.168.99.1 255.255.255.0
ip access-group 111 in
ip virtual-reassembly
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 104D000A0618
duplex auto
speed auto
crypto map VPN_MAP
!
interface FastEthernet1
ip address 192.168.1.172 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
switchport access vlan 98
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
description Wired connections
ip address 192.168.97.1 255.255.255.0
!
interface Vlan98
no ip address
bridge-group 98
bridge-group 98 spanning-disabled
!
interface Async1
no ip address
encapsulation slip
!
interface BVI98
ip address 192.168.98.1 255.255.255.0
ip virtual-reassembly
ip tcp adjust-mss 1452
!
router ospf 1
log-adjacency-changes
network 192.168.1.0 0.0.0.255 area 0
network 192.168.97.0 0.0.0.255 area 0
network 192.168.98.0 0.0.0.255 area 0
network 192.168.99.0 0.0.0.255 area 0
!
no ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
!
ip access-list extended INTERESTING_TRAFFIC
permit ip 192.168.0.0 0.0.255.255 192.168.99.0 0.0.0.255 log
!
access-list 111 permit tcp host 192.168.98.2 any log
access-list 111 permit ip any any
access-list 111 deny tcp host 192.168.98.2 any log
!
!
!
!
!
!
control-plane
!
bridge 98 protocol ieee
bridge 98 route ip
!
line con 0
privilege level 15
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
exec-timeout 900 0
privilege level 15
login authentication MP
line vty 5 15
exec-timeout 900 0
privilege level 15
login authentication MP
!
ntp logging
ntp server 192.168.99.2
end

here is sh log from ASA

%ASA-6-302020: Built outbound ICMP connection for faddr 4.2.2.2/0 gaddr 192.168.1.171/42296 laddr 192.168.1.171/42296

%ASA-5-111008: User 'enable_15' executed the 'ping 4.2.2.2' command.

%ASA-6-302021: Teardown ICMP connection for faddr 4.2.2.2/0 gaddr 192.168.1.171/42296 laddr 192.168.1.171/42296

%ASA-6-302020: Built outbound ICMP connection for faddr 4.2.2.2/0 gaddr 192.168.1.171/40815 laddr 192.168.1.171/40815

%ASA-5-111008: User 'enable_15' executed the 'ping 4.2.2.2' command.

%ASA-6-302021: Teardown ICMP connection for faddr 4.2.2.2/0 gaddr 192.168.1.171/40815 laddr 192.168.1.171/40815

ASA1#

prateeve · ‎01-09-2014

Hi Mahesh,

When the issue happens, are you able to ping the next hop ip address which is 192.168.1.172?

- Prateek Verma

mahesh18 · ‎01-09-2014

Hi Prateek,

Yes i am able to ping all the hops without any issue

Regards

Mahesh

prateeve · ‎01-09-2014

Hi,

Then I would say the reply is not getting blocked at ASA, could you check the arp table entry on the next router or try the same test from the router.

- Prateek Verma

Dinkar Sharma · ‎01-09-2014

Agree With Prateek, This might be an arp issue. My hunch is Arp collision or may be some issue with Upsteram router. Please check arp and captures.

Dinkar

mahesh18 · ‎01-09-2014

Hi,

I agree the upsteam routers have also ping on and off.

sh arp does not show IP of 4.2.2.2.

Regards

Mahesh

prateeve · ‎01-10-2014

Hi ,

At the time of the issue do you see any arp entry on the interface of router which is connected to ISP?

- Prateek Verma

mahesh18 · ‎01-10-2014

Hi,

I can ping fine from Router connected to ISP.

Only Lan Routers have issue while ping to 4.2.2.2

ISP connected router

2691Router#ping 4.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 76/82/88 ms
2691Router#ping 4.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/84/88 ms

sh arp from ISP router

2691Router#sh ip arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 70.x.x.x - 000d.bd3f.6d20 ARPA FastEthernet0/0

Internet 70.x.x.x 0 0011.20a8.04a7 ARPA FastEthernet0/0

Internet 192.168.6.2 107 0009.e8a2.0080 ARPA FastEthernet1/0

Internet 192.168.7.3 - 000d.bd3f.6d32 ARPA FastEthernet1/1

Internet 192.168.7.2 72 0009.e8a2.0080 ARPA FastEthernet1/1

Internet 192.168.6.3 - 000d.bd3f.6d31 ARPA FastEthernet1/0

Internet 192.168.5.3 - 000d.bd3f.6d21 ARPA FastEthernet0/1

Internet 192.168.5.2 95 000d.28bc.fd80 ARPA FastEthernet0/1

where int fa0/0 connects to ISP.

Regards

MAahesh

prateeve · ‎01-10-2014

Hi,

Could you send the debug arp from the LAN router at the time of the issue?

- Prateek Verma

mahesh18 · ‎01-10-2014

Hi Prateek,

Debug arp does not show any output.

Any other command i can try?

Regards

MAhesh

prateeve · ‎01-10-2014

Hi Mahesh,

The "show arp " output you send is from the ISP router , could you send it fomr the LAN router where the issue is happening, please provide me with the interface connected to next hop and next hop ip as well.

- Prateek Verma

mahesh18 · ‎01-10-2014

Hi Pradeep,

Sh arp which i sent you earlier was from router which connects to ISP.

Here is sh arp from router which has connection to ASA

1811w#sh arp
Protocol Address          Age (min) Hardware Addr   Type   Interface
Internet 192.168.1.171          27   b0fa.eba2.cbcb ARPA   FastEthernet1
Internet 192.168.1.172           -   001b.543a.6e3b ARPA   FastEthernet1
Internet 192.168.97.1            -   001b.543a.6e3a ARPA   Vlan1
Internet 192.168.98.1            -   001b.5448.5390 ARPA   BVI98
Internet 192.168.98.2            0   74e5.0b5b.e788 ARPA   BVI98
Internet 192.168.98.10           0   Incomplete      ARPA
Internet 192.168.98.16         114   a00b.bacf.37a5 ARPA   BVI98
Internet 192.168.98.21           6   40fc.894e.c48c ARPA   BVI98
Internet 192.168.99.1            -   001b.543a.6e3a ARPA   FastEthernet0
Internet 192.168.99.2           32   000d.28bc.fd80 ARPA   FastEthernet0
1811w# sh run int fa0
Building configuration...

Current configuration : 301 bytes
!
interface FastEthernet0
description IPSEC OSPF TO 3550A Interface Fas 0/8
ip address 192.168.99.1 255.255.255.0
ip access-group 111 in
ip virtual-reassembly
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 104D000A0618
duplex auto
speed auto
crypto map VPN_MAP
end

int fa0/0 connects to next hop

Next hop

R2_3550SMIA#sh arp
Protocol Address          Age (min) Hardware Addr   Type   Interface
Internet 192.168.99.2            -   000d.28bc.fd80 ARPA   FastEthernet0/8
Internet 192.168.99.1           34   001b.543a.6e3a ARPA   FastEthernet0/8
Internet 192.168.10.2           34   0009.e8a2.0080 ARPA   Vlan10
Internet 192.168.10.3            -   0000.0c07.ac01 ARPA   Vlan10
Internet 192.168.10.1            -   000d.28bc.fd80 ARPA   Vlan10
Internet 192.168.5.3            34   000d.bd3f.6d21 ARPA   FastEthernet0/11
Internet 192.168.5.2             -   000d.28bc.fd80 ARPA   FastEthernet0/11
Internet 192.168.30.3            -   0000.0c07.ac02 ARPA   Vlan30
Internet 192.168.30.1            -   000d.28bc.fd80 ARPA   Vlan30
Internet 192.168.20.1            -   000d.28bc.fd80 ARPA   Vlan20
Internet 192.168.20.2           34   0009.e8a2.0080 ARPA   Vlan20
Internet 192.168.20.3            -   0000.0c07.ac01 ARPA   Vlan20
R2_3550SMIA#sh run int fa0/11
Building configuration...

Current configuration : 272 bytes
!
interface FastEthernet0/11
description OSPF LAN Connection to 2691 Router Interface Fas 0/1
no switchport
ip address 192.168.5.2 255.255.255.254
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 111D0A0D181D1F
ip ospf hello-interval 40
end

NExt hop

2691Router#sh arp
Protocol Address          Age (min) Hardware Addr   Type   Interface
Internet 70.x.x.x          -   000d.bd3f.6d20 ARPA   FastEthernet0/0
Internet 70.x.x.x          0   0011.20a8.04a7 ARPA   FastEthernet0/0
Internet 192.168.6.2           155   0009.e8a2.0080 ARPA   FastEthernet1/0
Internet 192.168.7.3             -   000d.bd3f.6d32 ARPA   FastEthernet1/1
Internet 192.168.7.2           120   0009.e8a2.0080 ARPA   FastEthernet1/1
Internet 192.168.6.3             -   000d.bd3f.6d31 ARPA   FastEthernet1/0
Internet 192.168.5.3             -   000d.bd3f.6d21 ARPA   FastEthernet0/1
Internet 192.168.5.2            35   000d.28bc.fd80 ARPA   FastEthernet0/1
2691Router#         sh run int fa0/0
Building configuration...

Current configuration : 242 bytes
!
interface FastEthernet0/0
description WAN Connection to ISP modem
ip address dhcp
ip access-group DENY in
no ip redirects
no ip unreachables
ip nat outside
ip inspect REMEMBER out
ip virtual-reassembly
duplex auto
speed auto
end

2691Router#

Anything else i can send you by end of day as going to office now.

Thanks for help

Regards

Mahesh