cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5529
Views
0
Helpful
17
Replies

traceroute througth asa is not working when ecmp error inspection is enabled

Eugene Khabarov
Level 7
Level 7

Hello, dear All!

I have problem with icmp traceroute configuration. When I enabling icmp error inspection in global policy, my traceroute results through ASA 8.2.4 looks like this:

                                                                             My traceroute  [v0.75]

                                                                                                                                     Tue Jun  7 13:33:01 2011

Keys:  Help   Display mode   Restart statistics   Order of fields   quit

                                                                                                                                        Packets               Pings

Host                                                                                                                                 Loss%   Snt   Last   Avg  Best  Wrst StDev

1. 192.168.1.247                                                                                                                      0.0%     2    0.3   0.4   0.3   0.4   0.0

2. ???

3. ???

4. ???

5. ???

6. ???

7. ???

8. destination.lan                                                                                                                  0.0%     1   29.2  29.2  29.2  29.2   0.0

When ICMP error inspection is disabled, my results looks better, but still not all hops in the path:

                                                                             My traceroute  [v0.75]

                                                                                                                                      Tue Jun  7 13:32:44 2011

Keys:  Help   Display mode   Restart statistics   Order of fields   quit

                                                                                                                                        Packets               Pings

Host                                                                                                                                 Loss%   Snt   Last   Avg  Best  Wrst StDev

1. 192.168.1.247                                                                                                                      0.0%    36    0.5   0.4   0.3   0.5   0.1

2. core-asa.lan                                                                                                                    0.0%    35    0.3   0.5   0.3   1.8   0.4

3. ???

4. ???

5. 123.123.123.1                                                                                                                        0.0%    35    2.5   5.9   1.9  41.6   9.2

6. 123.123.123.57                                                                                                                       0.0%    35   28.7  30.3  27.2 107.7  13.5

7. 123.123.123.58                                                                                                                       0.0%    35   28.4  28.6  27.6  32.9   1.0

8. destination.lan                                                                                                                  0.0%    35   29.1  30.2  28.9  33.4   0.9

icmp inspection and ttl decrement on ASA is enabled. Also I configured ACL on outside interface to permit ICMP completely.

What's the problem? Thanks in advance.

17 Replies 17

Thank you. Looks really that it is CSCti20726. I will be wating for the new release.

Broken link

Broken link

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: