Solved: Re: ASA ping comes back with ?

pinchgem69 · ‎10-30-2017

ASA was moved to new location. IP was changed, but users were unable to connect. Moved ASA back to original location, changed IP back to original - users still unable to connect

When pinging ANY External IP - return code is '?'

Nothing major was changed (just IP back and forth), but not seeing where the issue is in the config

pinchgem69 · ‎11-07-2017

This issue was never resolved but they company I was helping with it took decided to move forward with something else

I'm closing this case

View solution in original post

Flavio Miranda · ‎10-30-2017

Hello @pinchgem69

if you changed IP address you probably need to change something else.

What about the default route to the Internet? Did you change the default-gateway?

Is nearly impossible to change IP without any further adjustments.

-If I helped you somehow, please, rate it as useful.-

pinchgem69 · ‎10-30-2017

Thanks for the reply

Unfortunately, I did not configure and then re-configure this ASA

While I'm sure the gateway et. al. was changing during the move and then put back the way it was supposed to be (at least for the most part) - I dont know for sure

I guess my main question is why a ping from the ASA would return '?' instead a U or '.'

Flavio Miranda · ‎10-30-2017

Alright, got it. Here it is:

? Unknown packet type

All the possibility here:

https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-releases-121-mainline/12778-ping-traceroute.html

-If I helped you somehow, please, rate it as useful.-

pinchgem69 · ‎10-30-2017

I have been reading that article, but the 'debug IP packet' command doesnt appear to exist on the ASA

pinchgem69 · ‎10-30-2017

This seems incorrect

route outside 0.0.0.0 0.0.0.0 209.118.84.241 1
route inside 192.168.0.0 255.255.255.0 192.168.255.1 1

pinchgem69 · ‎11-07-2017

This issue was never resolved but they company I was helping with it took decided to move forward with something else

I'm closing this case

dinhduc260135494 · ‎05-17-2021

My case is virtual lab, and the virtual asa fail the ping to the gateway (which is the real switch), the result is "?" still. I went to the switch and tried to ping back to the gateway, first packet failed then others 5 succeeded. Then I went back to ASA and it ping like normal.

Seems like there's misunderstanding in icmp packet or something.

Marvin Rhoads · ‎05-18-2021

@dinhduc260135494 this is usually related to ARP cache entries.

When a new ASA with same IP addresses as one it replaced tries to ping an adjacent device, that device may have a cache entry for the old ASA's MAC address.

When an adjacent device without an ARP cache entry tries to ping the ASA the first icmp echo request may fail because the ARP cache for the ASA's address is empty. After the first request, the cache is populated and the subsequent pings succeed.

dinhduc260135494 · ‎05-18-2021

So if the device ARP cache entry contain the old MAC address for that ip, it will relearn the address by any protocol (ICMP echo-reply) even with empty cache right ? Or echo-reply has different operation? I can't ping from the virtual ASA (in debug icmp trace ASA say that they do the ICMP echo-request then ? appear), but when switch do the ICMP echo-request and it works fine. Or is this just a virtual lab thing ?