cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1182
Views
0
Helpful
11
Replies

ASA 5510 interface issue

eAgencyInc
Level 1
Level 1

Cisco ASA 5510 running Version 8.0(5)

Two routers on separate ports. One works as it should, the other is being finicky for a completely unknown reason.

ping PORT1 8.8.8.8

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 10/10/10 ms

 

ping PORT2 8.8.8.8

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

??!!! / ?!!!? / !!!??

Success rate is 60 percent (3/5), round-trip min/avg/max = 20/30/50 ms

It’s always 3/5 but different patterns as shown above.

So I figure one of two things could be happening. Either the router behind PORT2 is bad or the cable is bad. So I hooked up a laptop using the same cable and gave it the same IP. It works just fine. No drops, latencies, or anything else.

Could it possibly be the actual port on the ASA? Should I try a different port? Haven’t tried that yet because I find that unlikely. Or could it be the config? Not sure what config sections to post, so please let me know. Both ports are configured exactly the same and I’m not aware of a config that would only let 3 out of 5 packets through. The MTU is the same on both at 1500.

11 Replies 11

Ajay Saini
Level 7
Level 7

Hello,

Could you please attach following outputs:

do a 'clear interface' to clear interface statistics

then issue a ping and collect

'show interface ex/y'    -- > for port2

cap capo interface <port2> match icmp any host 8.8.8.8

run a ping and take output of 'show cap capo det' output.

-AJ

# cap capo interface ISP2 match icmp any host 8.8.8.8
# ping ISP2 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
????!
Success rate is 20 percent (1/5), round-trip min/avg/max = 850/850/850 ms
# ping ISP2 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
???!!
Success rate is 40 percent (2/5), round-trip min/avg/max = 20/275/530 ms
# ping ISP2 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
???!!
Success rate is 40 percent (2/5), round-trip min/avg/max = 20/815/1610 ms
# show cap capo det
0 packet captured
0 packet shown

How could it possibly NOT capture anything if some packets actually returned?

Interesting, please take same capture on ISP1:

cap capo2 interface <ISP1> match icmp any host 8.8.8.8

also try to take debugs:

debug icmp trace

Also, please attach output of 'show route' and 'show interface ex/y' for ISP2

-AJ

I posted the "show int" output after you replied this this thread. Should be seen above.

As far as capo2, it does capture stuff there and shows it just fine.

Here is the "show route", slightly modified for privacy.

# show route
Gateway of last resort is 1.2.3.4 to network 0.0.0.0
C 192.168.1.0 255.255.255.0 is directly connected, inside
S 192.168.1.240 255.255.255.255 [1/0] via 1.2.3.4, ISP1
C 172.16.1.0 255.255.255.0 is directly connected, dmz2
C 1.2.3.4 255.255.255.224 is directly connected, ISP1
C 192.168.2.0 255.255.255.0 is directly connected, voice
C 2.3.4.5 255.255.255.240 is directly connected, ISP2
C 192.168.3.0 255.255.255.0 is directly connected, dmz1wifi
S* 0.0.0.0 0.0.0.0 [1/0] via 1.2.3.4, ISP1

.

Initial "show int":

# show interface e0/3
Interface Ethernet0/3 "ISP2", is up, line protocol is up
Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
MAC address 0019.e8c9.9473, MTU 1500
IP address 2.3.4.5, subnet mask 255.255.255.240
1213395 packets input, 79278048 bytes, 0 no buffer
Received 1131600 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
52437 packets output, 4300158 bytes, 0 underruns
0 output errors, 0 collisions, 9 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
152 input reset drops, 0 output reset drops, 0 tx hangs
input queue (curr/max packets): hardware (6/25) software (0/0)
output queue (curr/max packets): hardware (0/2) software (0/0)
Traffic Statistics for "ISP2":
1213205 packets input, 57269685 bytes
52437 packets output, 3354636 bytes
37588 packets dropped
1 minute input rate 6 pkts/sec, 297 bytes/sec
1 minute output rate 0 pkts/sec, 19 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 6 pkts/sec, 299 bytes/sec
5 minute output rate 0 pkts/sec, 19 bytes/sec
5 minute drop rate, 0 pkts/sec

Then I pinged to see any values increment:

# ping ISP2 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
???!!
Success rate is 40 percent (2/5), round-trip min/avg/max = 20/125/230 ms

And while some values have incremented, I don't anything crucial.


# show interface e0/3
Interface Ethernet0/3 "ISP2", is up, line protocol is up
Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
MAC address 0019.e8c9.9473, MTU 1500
IP address 2.3.4.5, subnet mask 255.255.255.240
1213614 packets input, 79292280 bytes, 0 no buffer
Received 1131804 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
52449 packets output, 4301142 bytes, 0 underruns
0 output errors, 0 collisions, 9 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
152 input reset drops, 0 output reset drops, 0 tx hangs
input queue (curr/max packets): hardware (0/25) software (0/0)
output queue (curr/max packets): hardware (0/2) software (0/0)
Traffic Statistics for "ISP2":
1213424 packets input, 57279961 bytes
52449 packets output, 3355404 bytes
37591 packets dropped
1 minute input rate 6 pkts/sec, 297 bytes/sec
1 minute output rate 0 pkts/sec, 19 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 6 pkts/sec, 299 bytes/sec
5 minute output rate 0 pkts/sec, 19 bytes/sec
5 minute drop rate, 0 pkts/sec

.

I believe you need a route on ISP2 interface. You can add a less preferred default route:

route ISP2 0 0 x.x.x.x 254

Also, once done, please check for the captures and see if we find some packets on ISP 2 interface.

HTH

-AJ

I added the route as you suggested. Just for troubleshooting, really, since the routes are set to be automatically entered based on track sla.

route ISP1 0.0.0.0 0.0.0.0 1.2.3.4 2 track 2
route ISP2 0.0.0.0 0.0.0.0 2.3.4.5 3 track 3
route ISP1 0.0.0.0 0.0.0.0 1.2.3.4 1
route ISP2 0.0.0.0 0.0.0.0 2.3.4.5 254

I added "1" and "254" for troubleshooting only because the "track" is configured as per Cisco's documentation on implementing a primary/backup ISP with SLAs.

The way you have set it up is using Dual-ISP scenario. By using the track option, route is only added once the primary routes fails and primary route fails. In a normal scenario, if you try to run command 'show route' , you should not see any route installed for ISP2 if primary ISP is up. That would explain why ISP should not be able to ping the 8.8.8.8 continuously. Hard to explain few pings since this is a unsupported scenario.

In essence, you should either run a ISP failover or use both ISP simultaneously by having one route as default gateway and one less preferred route which is what I meant in the first place. If you don't run sla monitoring, it will work and I can bet on that.

In my opinion, the requirements contradicts with the current setup. Maybe someone else has a workaround. This is completely my opinion.

-AJ

Like I showed above, I added the route as you suggested. However, it made no difference. Still the inconsistent pinging happens and no capture results.

Thank you very much for the time you spent helping me thus far, AJ. It is greatly appreciated and hardly seen out there. Before we proceed trying to troubleshoot my own ASA, I'm having the router we connect to replaced by the vendor because it died completely a few days ago. Perhaps that device starting to fail had something to do with what I thought was my own problem, so we'll see once they replace it.

Hi AJ,

Once again thank you for the time you spent trying to help me. It doesn't happen often and it's way cool to see it actually happen!

Anyway, I had the vendor replace their router. However, not much has changed. I still get 3/5 when pinging Google but 0/5 when pinging the actual router IP. However, if I connect a computer instead of my ASA to their router, I get 5/5 from both. The capture on the ASA is still not showing anything. capo2 shows thousands of packets but the original "capo" has nothing, even though I do get 3/5 pings back when pinging Google.

So I am completely confused at this point.

Review Cisco Networking for a $25 gift card