So you have a remote

Fazil Haneefa · ‎11-05-2016

Hi Everyone,

I am facing an issue for a IP. The packet tracer on the asdm says the packet will be routed correctly and without any error from the ingress interface to the egress interface.

Now, when I capture the ingress interface, I can see the packets in wireshark. But I can't see those packets in the egress capture.

NB:- this particular ip is not reachable from the Firewall.

So my Question is, Is this a normal behavior that the ASA will not switch the packets from the ingress to egress if the destination host is not reachable, or it will be switched regardless of the reachability of the destination.

Or is this something on the ASA itself. I doubt this, because the rules pretty straight forward and another IP from the same subnet is working fine and again, the packet tracer tells me everything is fine for this particular IP.

Thank you everyone in advance.

Karsten Iwen · ‎11-06-2016

Your firewall (the same is true for every IP-device) needs to know to which address on layer2 the packet should be forwarded, For that an ARP packet is sent out. If there is no one answering, then the actual packet is discarded. This is normal behavior.

Fazil Haneefa · ‎11-07-2016

U mean the arp of the next hop for the egress interface, right?

The next hop is reachable by the way.

Karsten Iwen · ‎11-07-2016

So you have a remote destination in your case that is not reachable? I assumed your host is on the same outside network of the ASA.

Only the next hop (which can be a router) needs to be reachable in that case. If you don't see the egress-packets in that case, then I assume that your capture-statement is not matching that traffic.

Switching traffic between interfaces