Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1031
Views
0
Helpful
3
Replies

Reverse Route Verification on ASA

xayavongp
Level 1
Level 1

‎03-06-2014 02:57 PM - edited ‎03-11-2019 08:54 PM

I was testing to see if I was having asymmetric routing to an ASA inside interface from a router. The following does not work and

on the ASA I get error ASA-3-313001: Denied ICMP type=8, code=0 ....

R1#ping
Protocol [ip]:
Target IP address: x.x.x.x
Repeat count [5]: 2
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: n.n.n.n
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]: RNumber of hops [ 9 ]:
Loose, Strict, Record, Timestamp, Verbose[RV]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to x.x.x.x, timeout is 2 seconds:
Packet sent with a source address of n.n.n.n
Packet has IP options:  Total option bytes= 39, padded length=40

Record route: <*>
   (0.0.0.0)
   (0.0.0.0)
   (0.0.0.0)
   (0.0.0.0)
   (0.0.0.0)
   (0.0.0.0)
   (0.0.0.0)
   (0.0.0.0)
   (0.0.0.0)

Request 0 timed out
Request 1 timed out

However this works fine when I do a simple source ping.

R1# ping x.x.x.x source n.n.n.n

Anyone have any idea what the ASA might be doing with the Record option?

Labels:
0 Helpful
3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

‎03-06-2014 04:46 PM

We are missing info,

Where is the router located?

What NAT do u have in place?

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

xayavongp
Level 1
Level 1
In response to Julio Carvajal

‎03-07-2014 05:29 AM

Sorry I forgot to say this is strictly from a router ( 5 hops away) on the inside going to the ASA inside interface.

0 Helpful

xayavongp
Level 1
Level 1
In response to xayavongp

‎03-07-2014 06:40 AM

I think I figured it out. Max hop count allow is 9 here which results in the request timed out for the return path.

The error on the ASA though is questionable. Either way it is not a concrete test because of the > 9 hops

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card