Solved: ASA Dropping Second Traceroute packets, first succeeds.

LordBoBCUP · ‎03-11-2019

Hi,

I am having a weird issue where traceroutes show the second response on windows and the second & third on *nix as a * but only for the first hop. I don't know how to explain it or what might be causing it.

Pings to the same hosts are continuous as you can see from the examples below. Can anyone suggest what might be causing this problem. It happens between SVI interfaces and also physical (internal to outside etc).

Thanks in Advance,
Alex

Windows:

C:\Users\User>tracert -d 172.20.1.6

Tracing route to 172.20.1.6 over a maximum of 30 hops

  1    <1 ms     *       <1 ms  172.27.2.1
  2    <1 ms    <1 ms    <1 ms  172.20.1.6

Trace complete.

*Nix (Ubuntu in this case)

raceroute to 172.20.1.6 (172.20.1.6), 30 hops max, 60 byte packets
 1  _gateway (172.20.0.1)  0.462 ms * *
 2  nzakl1pc001.domain.local (172.20.1.6)  1.175 ms * *

Ping:

C:\Users\User>ping 172.20.1.6 -t

Pinging 172.20.1.6 with 32 bytes of data:
Reply from 172.20.1.6: bytes=32 time<1ms TTL=127
Reply from 172.20.1.6: bytes=32 time<1ms TTL=127
Reply from 172.20.1.6: bytes=32 time<1ms TTL=127
Reply from 172.20.1.6: bytes=32 time<1ms TTL=127
Reply from 172.20.1.6: bytes=32 time<1ms TTL=127
Reply from 172.20.1.6: bytes=32 time<1ms TTL=127

Ping statistics for 172.20.1.6:

Ilkin · ‎03-17-2019

OK, so if the 1st hop is the ASA and the response for second probe is lost, then it has to do with the rate limit of ICMP unreacheables on ASA, which by default is 1 per second. You can try to increase the rate and check.

View solution in original post

LordBoBCUP · ‎03-20-2019

Thank you very much llkin for taking the time to assist. I have modified the icmp unreachable rate and this has fixed the issue (albeit just a cosmetic issue).

I found

icmp unreachable rate-limit 1 burst-size 1

in the config and replaced it with

icmp unreachable rate-limit 5 burst-size 5

View solution in original post

Rob Ingram · ‎03-12-2019

Hi,
What is the topology?
What device is the first hop when performing these traceroutes? The ASA or switch?

I would guess there is some rate limiting going on for ICMP

Linux and Windows use different probes for traceroute, Linux uses UDP Probes so if tracerouting through ASA you'd need to permit UDP/33434-33464.

HTH

LordBoBCUP · ‎03-14-2019

Hi,

Topology is very simple, its a SMB network.

ASA acting as Layer 3, gi1/1 is connected to a switch and has a few sub interfaces on it for the vlans (only 4).

I have noticed that this even occurs when I connect a laptop directly into a ASA port. I configured gi1/8 with an IP, plugged a laptop directly into the port and tracing to either the internet, or another machine on one of the SVI's resulted in the second packet being dropped.

I had thought of ICMP rate limiting, but I cant see anything in the ASA config about it and i'm not running any QoS anywhere either.

Thanks,

Alex

Ilkin · ‎03-15-2019

Tracing route to 172.20.1.6 over a maximum of 30 hops

  1    <1 ms     *       <1 ms  172.27.2.1
  2    <1 ms    <1 ms    <1 ms  172.20.1.6

In the output above is 172.27.2.1 ASA and is the behaviour consistent,t i.e. 2nd response is always dropped?

LordBoBCUP · ‎03-17-2019

Hi llkin, Yes 172.27.2.1 is the ASA (SVI interface on gi1/2.300). It is always consistent from both the SVI interfaces on the VLANs or even when I made a direct test interface. It is consistent when pinging anything as well, internal hosts or internet hosts so that rules out NAT etc too.

Ilkin · ‎03-17-2019

OK, so if the 1st hop is the ASA and the response for second probe is lost, then it has to do with the rate limit of ICMP unreacheables on ASA, which by default is 1 per second. You can try to increase the rate and check.

LordBoBCUP · ‎03-20-2019

Thank you very much llkin for taking the time to assist. I have modified the icmp unreachable rate and this has fixed the issue (albeit just a cosmetic issue).

I found

icmp unreachable rate-limit 1 burst-size 1

in the config and replaced it with

icmp unreachable rate-limit 5 burst-size 5