05-01-2020 07:43 AM - edited 05-01-2020 07:44 AM
Hi All,
I have some probleme with our connction.
Early last week, our monitoring server in the inside zone could not reach the ASA device.
The server also cannot ping the IP interface inside and vice versa.
HW: ASA5585-SSP-10
SW: v9.8(2)38
Topology:
[Server] (10.40.83.180) <--------> (10.40.83.1) [ACI] (10.30.10.6) <--------> (inside: 10.30.10.1) [ASA]
(Default Route to ASA) (Static Route to ACI)
This is the result of trace-packet from the IP Interface Inside to the Monitoring Server
SF-FW# packet-tracer input inside icmp 10.30.10.1 80 0 10.40.83.180
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.30.10.6 using egress ifc inside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
==============================================================
This is the result of trace-packet from the Monitoring Server tho the IP Interface Inside
SF-FW# packet-tracer input inside icmp 10.40.83.180 80 0 10.30.10.1
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.30.10.1 using egress ifc identity
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: CLUSTER-REDIRECT
Subtype: cluster-redirect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1619157236, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: allow
==========================================================
I have added the following command but it has no effect.
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any echo outside
icmp permit any inside
icmp permit any echo inside
Hope someone will give an answer that can solve this problem because this week we have not been monitored ASA.
Thanks.
05-02-2020 07:20 AM
Packet-tracer is designed to show how traffic would pass THROUGH the ASA. It is not a tool that has any utility for traffic to of from the ASA itself.
Have you tried a packet capture to confirm that the traffic is reaching the ASA? Also, i would suggest examine the logs on the ASA, filtering for traffic from the monitoring server.
05-02-2020 10:31 AM
Check routing to make sure that 10.40.83.180 can reach 10.1.30.1 and that the ASA has a route back to 10.40.83.180
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide