Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
21209
Views
0
Helpful
8
Replies

Can not ping through ASA 8.2(5) error %-6-302021

Ali Koussan
Level 1
Level 1

‎10-14-2011 12:15 AM - edited ‎03-11-2019 02:37 PM

Hi,

I have new ASA with 8.2(5) , I tried to open the ICMP between inside and outside for testing , but I'm always getting the error 

%-6-302021 
An ICMP session is removed in the fast-path when stateful ICMP is enabled using the inspect icmp command.

Although I did not add inspect icmp in the default inspection class.

I have done the same configuration on another ASA with different version 8.0 , and it works fine ..

any ideas !!

Configuration :

------------------------

access-list inside_access_in extended permit icmp any any

access-list outside_access_in extended permit icmp any any

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

!

service-policy global_policy global

2 people had this problem
Labels:
0 Helpful
8 Replies 8

varrao
Level 10
Level 10

‎10-14-2011 01:06 AM

Hi Ali,

Please take captures and check where the packets are being dropped:

https://supportforums.cisco.com/docs/DOC-17814

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

Alexander Moorthy
Level 1
Level 1
In response to varrao

‎10-14-2011 03:34 AM

Run a packet-trace command and find out which is really blocking the ICMP packet.

0 Helpful

Ali Koussan
Level 1
Level 1
In response to Alexander Moorthy

‎10-14-2011 08:55 AM

Hi ,

I did packet trace , and nothing stops the ICMP !  but still I'm getting the error message , and no reply is passed.

I did not try the capture because the packet trace was successful ...

Ali

0 Helpful

varrao
Level 10
Level 10
In response to Ali Koussan

‎10-14-2011 12:42 PM

Hi Ali,

No thats not correct, always rely on packet-captures rather than tracer, it might be an issue that you are not getting any replies from the remote device, packet-tracer would not show that. Tracer is shoudl hypothetically simualted traffic to check if everything is configured right.

Varun

Thanks,
Varun Rao
0 Helpful

Ali Koussan
Level 1
Level 1
In response to varrao

‎10-19-2011 01:37 AM

Hi Varun,

I did the packet trace , and it looks normal , only ping request is shown with no ping reply from the internal host.

I was able to solve the problem by changing the inside host IP to a private range (192.168.X.X) instead of (192.111.X.X) !! our customer has an old network and is using a public IP range (192.111.0.0) for internal network  .

I do not know why  if I use public IP on the inside (see the diagram) , I have this communication problem !!

Is there a way to overcome this issue without changing the inside IP address of the ASA ?

Thanks

Preview file
54 KB
0 Helpful

aswami300
Level 1
Level 1
In response to Ali Koussan

‎10-19-2011 04:39 AM

Hi Ali,

Add following commands on ASA:

access-l cpo permit icmp any any

cap cpo access-l cpo interface inside

cap cpi access-l cpo interface outside

Now initiate ping to internet device and collect following outputs:

show cap cpo

show cap cpi

show xl | in

Also, share captures in pap format using following url:

https://IP_ADD_OF_ASA/capture/cpi/pcap

https://IP_ADD_OF_ASA/capture/cpo/pcap

Save files as inside.pcap and outside.pcap.

Need to see what is happening to traffic.

--

Anubhav Swami (Anna)

0 Helpful

Ali Koussan
Level 1
Level 1
In response to aswami300

‎10-23-2011 09:48 AM

hi Anubhav,

I did the capture , All what I can see is ping request from the inside host to ingress interface , and the ping request from the inside host on the egress interface , no icmp reply from outside host !!

the same if I did the ping from outside host to inside host , no icmp reply is passing through the ASA !!

see the capture files attached

I have used another ASA with 8.3 , and I used two different machines on the inside and on the outside , at the begining , I got the same problem , but when I disabled windows firewall from the services on the host and reload the machines , problem was solved !!

this solution did not work on my original ASA (8.2) , although I check the status of windows firewall on the inside and outside host , and for sure it is disabled !!

this is confusing ...

Any ideas

115880-IngressCapture.zip
0 Helpful

shisaraf
Level 1
Level 1
In response to Ali Koussan

‎10-23-2011 10:14 PM

From the captures i see that the remote host does not reply back to the icmp packets.

Had the ASA been dropping the packets we would have atleast seen the ICMP reply packets.

One possibel reason for this could be that the remote host responds only to IP's in ints own subnet.

You can try translating the source IP using nat and global and see that helps

nat (inside) 3 192.111.200.10

global (outside) 3 interface

Shivangi

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card