Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4331
Views
0
Helpful
4
Replies

Denied ICMP type=0 ... : no matching session

itops
Level 1
Level 1

‎06-24-2015 08:51 AM - edited ‎03-11-2019 11:10 PM

Hi,

I am unable to get a ping response from a host whose gateway address is the ASA and it’s configured on an another VLAN. Note that connect to the host on other protocols i.e. RDP, HTTP, 23 etc. 

 

Topology is something like this.

My desktop is connected to a Layer3 switch and the office has it’s own local internet breakout. All traffic points back to my core switch which has a default gateway of SonicWall. There is a SHDS connecting Office A to Office B where my VMWare stack is. VLAN1 & 2 are spanned over this SHDS and I have hosts sitting on VLAN1&2 at both sites. Site B has an ASA and it also has a local internet breakout which is working fine.

 

Problem:

  • HostX at site B is configured on VLAN1 and I have a desktop-HostY at site A on VLAN1 as well. I am able to ping HostX from HostY and I can access all resources like RDP, HTTP, SSH etc.
  • HostX at site B is configured on VLAN2 and I have a desktop-HostY at site A on VLAN1,3,4,5. I am unable to ping HostX from HostY but I can access all resources like RDP, HTTP, SSH etc.

 

Note that HostX’s default gateway is the ASA at site B. 

 

Configuration applied so far:

  • configured tcp-statebypass on VLAN1 and VLAN2 for the whole corporate range i.e. 10.0.0.0/8 to 10.0.0.0/8 tcp-statebypass
  • Intra traffic between two same security level interfaces is enabled
  • Enable traffic between two or more hosts connected to the same interface.
  •  

 

Is there any this which i have missed which could be denying icmp requests

 

Labels:
0 Helpful
4 Replies 4

Rishabh Seth
Level 7
Level 7

‎06-24-2015 12:07 PM

Can you try following command:

# fixup protocol icmp

 

If it does not help then try applying asp captures and check why ASA is dropping the traffic and share the details.

Command for asp capture:

cap asp-drop type asp-drop all

show cap asp-drop | include <source_ip of host>

remove captures:

no cap asp-drop.

 

Hope it helps!!!

 

0 Helpful

itops
Level 1
Level 1
In response to Rishabh Seth

‎06-25-2015 01:52 AM

Hi Risseth,

 

fixup protocol icmp did not resolve the issue. Capture from ASA below

 

 show cap asp-drop | include 10.0.60.235
  43: 09:49:46.336698       802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply Drop-reason: (inspect-icmp-seq-num-not-matched) ICMP Inspect seq num not matched
 100: 09:49:47.343289       802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
 161: 09:49:48.343121       802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
 237: 09:49:49.346997       802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
 308: 09:49:50.351468       802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
 381: 09:49:51.351468       802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
 451: 09:49:52.355648       802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
 531: 09:49:53.359310       802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
 600: 09:49:54.362942       802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
 655: 09:49:55.367794       802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
 710: 09:49:56.370494       802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
 779: 09:49:57.372905       802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
 852: 09:49:58.375255       802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
 915: 09:49:59.376185       802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
 988: 09:50:00.380885       802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
1060: 09:50:01.382319       802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
1139: 09:50:02.383174       802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
1222: 09:50:03.397531       802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
1295: 09:50:04.388377       802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
1359: 09:50:05.392206       802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
1430: 09:50:06.395258       802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
1504: 09:50:07.396936       802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
1563: 09:50:08.399362       802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
1638: 09:50:09.401529       802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
1705: 09:50:10.407037       802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
1778: 09:50:11.412240       802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
1842: 09:50:12.411096       802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
1882: 09:50:13.009765       802.1Q vlan#1 P0 10.0.60.235.61854 > 10.0.0.254.443: F 292292983:292292983(0) ack 2856598740 win 65535 <nop,nop,timestamp 1175996431 4124391004>
1921: 09:50:13.413018       802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
2000: 09:50:14.414742       802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
2072: 09:50:15.418816       802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
2152: 09:50:16.422768       802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
2237: 09:50:17.426186       802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
2308: 09:50:18.425881       802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
2387: 09:50:19.426216       802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
2463: 09:50:20.431236       802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
2525: 09:50:21.435890       802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
2589: 09:50:22.438804       802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
2669: 09:50:23.442314       802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
2749: 09:50:24.449958       802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
2819: 09:50:25.449470       802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply

0 Helpful

Rishabh Seth
Level 7
Level 7
In response to itops

‎06-25-2015 03:32 AM

Hi,

inspect-icmp-seq-num-not-matched)

From asp drops it is clear that ASA is seeing different sequence number in the reply than the request.

Now you should take captures on the ingress and egress interface to compare the sequence number of the ICMP request and replies.

If the sequence numbers are changing in icmp reply, then you should check why the target machine is sending wrong packets.

You can also try ping test for different source and destination.

Share the details of ICMP captures and also collect multiple output of command with pings flowing in network.

show service-policy | in icmp

Thanks,

R.Seth

 

0 Helpful

Andre Neethling
Level 4
Level 4

‎06-25-2015 04:02 AM

Hi. What version of ASA are you running?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card