Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3619
Views
0
Helpful
3
Replies

traceroute and mtr do not work with ASA 5525

Stephen Carville
Level 1
Level 1

‎08-14-2013 01:57 PM - edited ‎02-21-2020 04:57 AM

We recently upgraded an ASA 5520 to an ASA 5525 and some of my diagnostic tools no longer work as expected. One example is MTR -- which I use a lot for diagnosis.  For example, if I mtr to 12.27.224.24 from an internal machine I get:

mtr -r -c 10 -n 12.27.224.24

               Loss%  Last   Avg  Best  Wrst StDev

10.212.209.1   0.0%   0.3   0.3   0.2   0.4   0.0

12.27.224.24   0.0%   0.6   0.5   0.5   0.6   0.0

However, if I send the same request out through an interface that bypasses the firewall I get:

sudo mtr -r -c 10 -n --address 198.204.115.86 12.27.224.24

                        Loss%  Last   Avg  Best  Wrst StDev

198.204.115.1           0.0%   0.3   0.4   0.2   1.6   0.4

209.234.172.13          0.0%   0.9   1.1   0.8   2.3   0.5

64.129.238.182          0.0%   1.8  11.7   1.8  51.1  20.2

12.91.226.9             0.0%  47.2  12.1   2.1  56.8  21.1

12.122.104.70           0.0%   3.1   4.6   2.5   6.3   1.3

12.123.30.249           0.0%  32.8   9.3   3.7  32.8   8.6

12.122.129.221          0.0%   5.4   3.4   2.4   6.9   1.6

12.249.74.142           0.0%   3.9   6.1   3.9  13.4   3.8

???                     100.0   0.0   0.0   0.0   0.0   0.0

Which is what I expected (The destination will not accept traffic from 198.204.115.86 so the last hop is always a 100% loss)

It worked before and the vendor claims he migrated the configuration from the 5520 without making any significant changes. Is this something that can be fixed?

0 Helpful
3 Replies 3

Seb Rupik
VIP Alumni
VIP Alumni

‎08-16-2013 04:44 AM

Hi Stephen,

It looks like ICMP traffic is being dropped by your firewall.

You should add 'inspect icmp' to the inspection engine which will dynamically allow the icmp echo reply back through. You can find details on it's configuration here:

http://www.cisco.com/en/US/docs/security/asa/command-reference/i2.html#wp1760396

cheers,

Seb.

0 Helpful

Stephen Carville
Level 1
Level 1
In response to Seb Rupik

‎08-16-2013 06:01 AM

If only it were that simple.  ICMP works fine.

If I use tshark on a remote machine then ping it from a local box I see (198.204.115.201 is the outgoing NAT address.):

  0.000000 198.204.115.201 -> 216.117.215.8 ICMP Echo (ping) request

  0.000049 216.117.215.8 -> 198.204.115.201 ICMP Echo (ping) reply

  1.000066 198.204.115.201 -> 216.117.215.8 ICMP Echo (ping) request

  1.000111 216.117.215.8 -> 198.204.115.201 ICMP Echo (ping) reply

If I repeat the above but use mtr on the local box, tshark reports:

      Zip... Zilch... Nada... Nothing...

but tshark on the source machine reports:

Capturing on eth0

  0.000000 10.212.209.51 -> 216.117.215.8 ICMP Echo (ping) request

  0.000491 216.117.215.8 -> 10.212.209.51 ICMP Time-to-live exceeded (Time to live exceeded in transit)

  0.501257 10.212.209.51 -> 216.117.215.8 ICMP Echo (ping) request

  0.501447 10.212.209.1 -> 10.212.209.51 ICMP Time-to-live exceeded (Time to live exceeded in transit)

Exactly as expected -- for the first hop

Something in the 5525 configuration is stopping the icmp from mtr but not for ping. Maybe there is some "evil hacker tool" rule that was added -- dunno.

0 Helpful

Stephen Carville
Level 1
Level 1

‎08-20-2013 09:44 AM

Got it!

policy-map global_policy

class inspection_default

  inspect icmp error

It is always easy after you know the answer.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card