10-04-2018 01:30 PM - edited 02-21-2020 08:19 AM
Hi
Source is getting SYN,ACK from destination but rather than sending final SYN it sends Host Unreaachable.
Capture attached.
Kindly advise.
Thanks
10-04-2018 02:04 PM
Can you post the configuration to review.
10-07-2018 12:15 AM
Hello,
Where were these captures taken? These host unreachable icmp error indicates that the end host is not either reachable through some router in between the path (could be a firewall) or the host does not have a default gateway configured. In your case, the syn packet goes out fine. We need to identify where these captures were taken and find out if Unreachable was sent out by the host itself or some layer 3 device in between.
https://www.savvius.com/networking-glossary/tcp_ip_overview/icmp/unreachable/
HTH
AJ
10-07-2018 03:10 AM
Hi Ajay
Topology is like ASA 1 -> ASA 2 - > Host
Am doing a TCP ping from ASA 1 outside interface to Host , the capture is of inside interface ASA 1
ASA 1 is translatign the IPs are per NAT rule properly. as it should.
The comm is like
ASA sends SYN
Host Sends SYN,ACK
Then the 3rd packet is sent of unreachable to host ...
So issue is on ASA 1 I think...becuase host is responding I have taken capture on ASA 1 & 2 both ...host sends SYN, ACK
but from ASA 1 sends unreachable in place SYN ...
Attached is the caputre of outside interface..
Thanks
10-07-2018 03:18 AM
So, you are doing a tcp based ping from ASA1 , is that correct? or the ping is from a host behind the ASA1?
Can you provide the command that you are issuing on the ASA1 or the host to run this ping.
-
AJ
10-07-2018 10:39 AM
Hi Ajay
Yes, That is correct.
I am doign TCP based ping from ASA 1 and am doing it from ASDM ->Tools-> Ping
By giving source interface and IP.
Thanks
10-07-2018 11:58 PM
Ah, if you are trying to ping outside ip addresses sourced from inside interface of ASA, it will never work. Thats ASA design, you should source the interface of ASA which has the route towards the destination to be pinged.
-
HTH
AJ
10-08-2018 01:48 AM
Hi Ajay
That is what am doing from OUTSIDE to INSIDE
Thanks
10-08-2018 01:57 AM
Hello,
So, this wont work for across the interface if you want to source from ASA interface or ping to the ASA interface when not connected to the interface.
HTH
AJ
10-08-2018 02:20 AM
hi Ajay
Outside interface is connected to MPLS network where actual source resides.
So inspite of asking the actual source to try again and again am trying to investigate this issue by creating a TCP connection from ASA itself by taking outside interface as source using the source IP ... which woks fine till SYN,ACK but it sends 3rd packet as unreachable ...
Thanks
10-08-2018 10:44 PM
Since ASA does not own that ip address, thats a valid reason why it should be sending the host unreachable error message.
Ideally, in a router scenario, you would have created a loopback interface and tested, but ASA won't be as friendly as you want it to be. I would suggest looking for alternatives.
HTH
AJ
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide