Solved: ICMP Inspect seq num not matched

dogiii · ‎03-28-2018

Hi guys,

I have a problem with my ASA.

The problem is as follows.

We have new Subnets in the 192.168.x.x range.

Our current setup is with 10.0.0.0 /8 range.

From the core switch all the vlans have been configured and work so far. However the new 192.168.x.x adresses are able to get to the internet and I can ping 8.8.8.8 however they can not ping the Web Filter (proxy barracuda) in between. So any connection with http and https will be dropped. The gateway for those adresses is 10.51.7.1 and the barraczuda has the IP address 10.51.7.5 . The asa is able to ping all Addresses. However a ping from one of the internal Ip addresses 192.168.x.x gives nme this error on a cap asp . ICMP Inspect seq num not matched

anyone got an idea wnhat the issue might be?

dogiii · ‎03-29-2018

I figured it out.

The barracuda proxy was just missing a route to the new internal subnet.
Having 0 know-how for barracudas this took me some time :)

Thanks for your help anyways!

View solution in original post

Octavian Szolga · ‎03-28-2018

Hi,

ICMP is one thing, proxy services (TCP 8080 or 3128 or any other you use) is another. I don't see the relation between ICMP not working and proxy services for barracuda (considering it's deployed as explicit proxy).

Anyway, leaving that aside, ICMP echo does have an ID and a seq no. The seq. no. should be used to detect out of order packets inside a "session" (same id).

You could disable ICMP inspection for that traffic flow and explicitly allow ICMP echo from inside (192) to outside (barracuda) and echo-reply from outside to inside. (because icmp inspection is disabled, you have to explicitly allow outbound trafficm- echo - + reply inbound - echo request)

Thanks,

Octavian

dogiii · ‎03-29-2018

I figured it out.

The barracuda proxy was just missing a route to the new internal subnet.
Having 0 know-how for barracudas this took me some time :)

Thanks for your help anyways!