I was testing to see if I was having asymmetric routing to an ASA inside interface from a router. The following does not work and
on the ASA I get error ASA-3-313001: Denied ICMP type=8, code=0 ....
R1#ping Protocol [ip]: Target IP address: x.x.x.x Repeat count : 2 Datagram size : Timeout in seconds : Extended commands [n]: y Source address or interface: n.n.n.n Type of service : Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: RNumber of hops [ 9 ]: Loose, Strict, Record, Timestamp, Verbose[RV]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 2, 100-byte ICMP Echos to x.x.x.x, timeout is 2 seconds: Packet sent with a source address of n.n.n.n Packet has IP options: Total option bytes= 39, padded length=40
Record route: <*> (0.0.0.0) (0.0.0.0) (0.0.0.0) (0.0.0.0) (0.0.0.0) (0.0.0.0) (0.0.0.0) (0.0.0.0) (0.0.0.0)
Request 0 timed outRequest 1 timed out
However this works fine when I do a simple source ping.
R1# ping x.x.x.x source n.n.n.n
Anyone have any idea what the ASA might be doing with the Record option?
We are missing info,
Where is the router located?
What NAT do u have in place?
I think I figured it out. Max hop count allow is 9 here which results in the request timed out for the return path.
The error on the ASA though is questionable. Either way it is not a concrete test because of the > 9 hops