All Inside Host Can't Ping ASA Inside Interface IP Address

am. · ‎05-01-2020

Hi All,

I have some probleme with our connction.

Early last week, our monitoring server in the inside zone could not reach the ASA device.

The server also cannot ping the IP interface inside and vice versa.

HW: ASA5585-SSP-10
SW: v9.8(2)38

Topology:

[Server] (10.40.83.180) <--------> (10.40.83.1) [ACI] (10.30.10.6) <--------> (inside: 10.30.10.1) [ASA]

(Default Route to ASA) (Static Route to ACI)

This is the result of trace-packet from the IP Interface Inside to the Monitoring Server

SF-FW# packet-tracer input inside icmp 10.30.10.1 80 0 10.40.83.180

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.30.10.6 using egress ifc inside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

==============================================================

This is the result of trace-packet from the Monitoring Server tho the IP Interface Inside

SF-FW# packet-tracer input inside icmp 10.40.83.180 80 0 10.30.10.1

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.30.10.1 using egress ifc identity

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: CLUSTER-REDIRECT
Subtype: cluster-redirect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1619157236, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: allow

==========================================================

I have added the following command but it has no effect.

icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any echo outside
icmp permit any inside
icmp permit any echo inside

Hope someone will give an answer that can solve this problem because this week we have not been monitored ASA.

Thanks.

Marvin Rhoads · ‎05-02-2020

Packet-tracer is designed to show how traffic would pass THROUGH the ASA. It is not a tool that has any utility for traffic to of from the ASA itself.

Have you tried a packet capture to confirm that the traffic is reaching the ASA? Also, i would suggest examine the logs on the ASA, filtering for traffic from the monitoring server.

Marius Gunnerud · ‎05-02-2020

Check routing to make sure that 10.40.83.180 can reach 10.1.30.1 and that the ASA has a route back to 10.40.83.180

--
Please remember to select a correct answer and rate helpful posts