ā03-19-2019 02:04 AM - edited ā03-19-2019 02:05 AM
Hi guys,
I have this "common scenario" where ASA drops traceroute traffic.
C:\Windows\system32>tracert -d 10.22.10.63
Tracing route to 10.22.10.63 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 10.22.20.254
2 2 ms 2 ms 2 ms 10.22.25.4
3 * * * Request timed out.
4 1 ms 1 ms 1 ms 10.22.10.63
Obviously the * is on outside ASA interface. Here's the related config:
1. Capture on ASA for dropped traffic
capture cap4 type asp-drop acl-drop [Capturing - 774 bytes]
match icmp any any
4: 10:37:09.632840 10.22.1.62 > 10.22.20.1: icmp: time exceeded in-transit Drop-reason: (acl-drop) Flow is denied by configured rule
5: 10:37:13.346493 10.22.1.62 > 10.22.20.1: icmp: time exceeded in-transit Drop-reason: (acl-drop) Flow is denied by configured rule
6: 10:37:17.346966 10.22.1.62 > 10.22.20.1: icmp: time exceeded in-transit Drop-reason: (acl-drop) Flow is denied by configured rule
2. Interface config and acl-applied
show ip | i 10.22.1.62
Port-channel1.90 outside 10.22.1.62 255.255.255.240 CONFIG
access-group outside_in in interface outside
3. ACL config
sa outside_in | i icmp
access-list outside_in line 10 extended permit icmp any4 any4 log disable (hitcnt=20821163) 0xb47d85da
access-list outside_in line 12 extended permit icmp any4 any4 time-exceeded (hitcnt=0) 0xa0979724
4. ASA ICMP config
show run icmp
icmp unreachable rate-limit 10 burst-size 5
show run policy-map | i icmp
inspect icmp
inspect icmp error
Any idea is welcome!
ā03-19-2019 11:57 AM
ā03-20-2019 01:36 AM
ā03-20-2019 08:55 AM
By default an ASA won't decrement the icmp ttl used by traceroute even if ICMP is otherwise allowed and inspected.
To get the full functionality including the ASA reporting its interface address in the path, you need to add a line to class-default as follows:
ciscoasa(config)# policy-map global_policy ciscoasa(config-pmap)# class class-default ciscoasa(config-pmap-c)# set connection decrement-ttl
Source:
ā03-20-2019 09:19 AM
ā03-20-2019 11:43 PM
Thank you guys, but this is not about ASA showing up.
On my original post I mentioned those * * * from traceroute are on the ASA.
There's also the asp-drop acl-drop capture I also shared on the ASA. So the issue is that ASA drops the traceroute...
ā03-21-2019 02:51 AM
The decrement-ttl will fix the * * * entries assuming everything else is configured correctly.
Your original post shows the ACL entry permitting icmp inbound is currently disabled:
access-list outside_in line 10 extended permit icmp any4 any4 log disable
ā03-21-2019 04:58 AM
Marvin, I have to disagree: decrement-ttl is present, had it not been present then those * * * should not show up as ASA IP will not be shown. Anyway here's the config:
show run policy-map
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect http
inspect icmp
inspect dns preset_dns_map
inspect icmp error
inspect tftp
class SFR
sfr fail-open
class global-class
flow-export event-type all destination 10.22.10.63
class class-default
user-statistics accounting
set connection decrement-ttl
As for the ACL, the ACE is on aka ENABLED; it's only logging that's disabled.
Thanks,
Florin.
ā03-25-2019 03:30 AM
ā03-25-2019 02:02 PM
Hi Florin,
"time exceeded in-transit Drop-reason: (acl-drop) Flow is denied by configured rule"
As per this document:-
ā03-27-2019 06:45 AM
Hello RJI,
Thanks for the headsup! Ahead of rule 10 there're only Allow rules; I moved it as rule no1&2 and I got the same output.
Review other causes:
ā03-27-2019 08:09 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: