10-30-2017 01:10 PM - edited 02-21-2020 06:36 AM
ASA was moved to new location. IP was changed, but users were unable to connect. Moved ASA back to original location, changed IP back to original - users still unable to connect
When pinging ANY External IP - return code is '?'
Nothing major was changed (just IP back and forth), but not seeing where the issue is in the config
Solved! Go to Solution.
11-07-2017 06:25 AM
This issue was never resolved but they company I was helping with it took decided to move forward with something else
I'm closing this case
10-30-2017 01:17 PM
Hello @pinchgem69
if you changed IP address you probably need to change something else.
What about the default route to the Internet? Did you change the default-gateway?
Is nearly impossible to change IP without any further adjustments.
-If I helped you somehow, please, rate it as useful.-
10-30-2017 01:26 PM
Thanks for the reply
Unfortunately, I did not configure and then re-configure this ASA
While I'm sure the gateway et. al. was changing during the move and then put back the way it was supposed to be (at least for the most part) - I dont know for sure
I guess my main question is why a ping from the ASA would return '?' instead a U or '.'
10-30-2017 01:33 PM
Alright, got it. Here it is:
? Unknown packet type
All the possibility here:
-If I helped you somehow, please, rate it as useful.-
10-30-2017 01:36 PM
I have been reading that article, but the 'debug IP packet' command doesnt appear to exist on the ASA
10-30-2017 07:27 PM
This seems incorrect
route outside 0.0.0.0 0.0.0.0 209.118.84.241 1
route inside 192.168.0.0 255.255.255.0 192.168.255.1 1
11-07-2017 06:25 AM
This issue was never resolved but they company I was helping with it took decided to move forward with something else
I'm closing this case
05-17-2021 10:05 PM
My case is virtual lab, and the virtual asa fail the ping to the gateway (which is the real switch), the result is "?" still. I went to the switch and tried to ping back to the gateway, first packet failed then others 5 succeeded. Then I went back to ASA and it ping like normal.
Seems like there's misunderstanding in icmp packet or something.
05-18-2021 01:35 AM
@dinhduc260135494 this is usually related to ARP cache entries.
When a new ASA with same IP addresses as one it replaced tries to ping an adjacent device, that device may have a cache entry for the old ASA's MAC address.
When an adjacent device without an ARP cache entry tries to ping the ASA the first icmp echo request may fail because the ARP cache for the ASA's address is empty. After the first request, the cache is populated and the subsequent pings succeed.
05-18-2021 06:17 PM
So if the device ARP cache entry contain the old MAC address for that ip, it will relearn the address by any protocol (ICMP echo-reply) even with empty cache right ? Or echo-reply has different operation? I can't ping from the virtual ASA (in debug icmp trace ASA say that they do the ICMP echo-request then ? appear), but when switch do the ICMP echo-request and it works fine. Or is this just a virtual lab thing ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide