[ASA 5515-X] After upgrade from 8.6 to 9.1 no ping possible

MahlstedtL · ‎04-22-2013

Hi there,

I've got a little problem with my ASA 5515-X after upgrade from version 8.6 to 9.1.

I've got two 5515-X in A/S-mode and upgraded both as described on cisco's website (first standby-unit, failover, etc.). Everything worked just fine except pinging the ASA-interfaces themselfes. Before upgrade it was possible to ping from any subnet to the internal interface, but now it's not. If I'm on the router next to the ASA I'm able to ping, but every ping from behind that router fails. The ICMP-packets get into the ASA (counter on ACL raises up), but no reply is getting into the source.

The configuration fir ICMP was not changed and says "permit 0.0.0.0 0.0.0.0" for any ICMP on the internal interface. The router betwenn my subnet and the ASA has no ACL installed and - as said above - the ICMP gets obviously to the ASA but doesn't come back!?

I wasn't able to find some information about changes for this function so I hope that anybody can help me understand this issue - and may be help me to solve it.

Thanks in advance,

Lutz

Jouni Forss · ‎04-22-2013

Hi,

To confirm what you are seeing you could always capture ICMP traffic on the "inside" interface of your ASA and see if it is even trying to reply.

access-list ICMP permit icmp any host

access-list ICMP permit icmp host any

capture ICMP type raw-data access-list ICMP interface inside buffer 1000000 circular-buffer

And use the commands to show if any traffic is capture and if ASA is sending any Echo Reply

show capture

show capture ICMP

And if needed, copy the capture file to an internal host with TFTP

copy /pcap capture:ICMP tftp://x.x.x.x/ICMP.pcap

You can remove the capture from the ASA with command

no capture ICMP

- Jouni

MahlstedtL · ‎04-22-2013

Hi and thanks for this advice.

I'm quiet new to troubleshoot issues on ASAs like this, but I can imagine, what the above config should result. Unfortunately the ASA tells me this when I try to configure the capture:

Capture doesn't support access-list containing mixed policies

But I don't know why this happens!? Is it the ACL already bound to the interface? I thought that the ACL "ICMP" would only be used to identify the capture-traffic on the interface "internal"!?

Thanks for any help!

Jouni Forss · ‎04-22-2013

Oh right,

I think you actually have to use "any4" instead of "any" in the capture ACL

Since in the new software "any" means both IPv4 and IPv6

- Jouni

MahlstedtL · ‎04-23-2013

OK, that's new to me and I should remember this - it'll maybe an issue in future again

So now it workes like expected and I get this output for "show capture ICMP":

6 packets captured

1: 06:58:01.147026 802.1Q vlan#v P0 192.168.x.h > 192.168.y.a: icmp: echo request

2: 06:58:05.739784 802.1Q vlan#v P0 192.168.x.h > 192.168.y.a: icmp: echo request

3: 06:58:10.740089 802.1Q vlan#v P0 192.168.x.h > 192.168.y.a: icmp: echo request

4: 06:58:15.740379 802.1Q vlan#v P0 192.168.x.h > 192.168.y.a: icmp: echo request

5: 06:58:20.739707 802.1Q vlan#v P0 192.168.x.h > 192.168.y.a: icmp: echo request

6: 06:58:25.740089 802.1Q vlan#v P0 192.168.x.h > 192.168.y.a: icmp: echo request

where v is the variable for my VLAN-ID, h stands for the host-IP and a for the ASA-IP. The host and the ASA are NOT on the same subnet (see x and y). But I told before that pings from the same net work while these pings wont result in any reply!?