Solved: traceroute from the switch directly connected via inside

M Mohammed · ‎01-25-2018

i can traceroute 8.8.8.8 from fw

fw/pri/act# traceroute 8.8.8.8

Type escape sequence to abort.
Tracing the route to 8.8.8.8

1 x.x.x.x0 msec 0 msec 0 msec
2 * *
x.14.214.71 0 msec
3 x.14.214.70 0 msec 10 msec 0 msec
4 x.170.246.225 0 msec * 0 msec
5 x.170.233.223 0 msec
x.14.237.179 0 msec
x.14.234.157 0 msec
6 google-public-dns-a.google.com (8.8.8.8) 0 msec 0 msec 10 msec

but when i do source of inside it does not work

fw/pri/act# traceroute 8.8.8.8 source inside

Type escape sequence to abort.
Tracing the route to 8.8.8.8

1 * * *
2 * * *
3 * * *

any advise

Marvin Rhoads · ‎01-27-2018

You cannot generally source traffic from one ASA interface to exit another one.

View solution in original post

Marvin Rhoads · ‎01-27-2018

You cannot generally source traffic from one ASA interface to exit another one.

Florin Barhala · ‎03-14-2018

Hi Marvin,

Can you detail your answer here please?

I need to run traceroute to IP_dst using as source another ASA interface, let's call it inside.

Isn't this possible? If not why does traceroute command on ASA have source option?

If I am not clear:

- ASA 9.6.x

- ASA interfaces: lan_data, lan_voice, outside

- show route | 1.2.3.4

S* 1.2.3.4 255.255.255.255 [1/0] via outside_interconnect_IP, outside

I need to run: traceroute 1.2.3.4 source lan_data

Thanks!

Marvin Rhoads · ‎03-14-2018

As far as I know, traceroute on an ASA will always be sourced from the interface that has the best route to the destination.

~~That's why there's no way to specify the source address.~~

Florin Barhala · ‎03-14-2018

Ok now I am really puzzled. First of all thanks for the lighting fast reply!
Now on ASA I have this menu:

traceroute 1.2.3.4 ?

numeric display numeric address
port specify port number
probe specify number of probes per hop
source specify source address or interface
timeout specify time out
ttl specify minimum and maximum ttl/hop-limit
use-icmp use ICMP probe packets
<cr>
traceroute 1.2.3.4 source ?

A.B.C.D Source address
Current available interface(s):
lan_data Name of interface GigabitEthernet0/0
lan_voice Name of interface GigabitEthernet0/1
outside Name of interface GigabitEthernet0/2

What do you make of it?

Florin Barhala · ‎03-16-2018

Marvin, did you manage to read my previous reply here?
I am still stuck to create a TAC case for couple weeks so if you have any idea - thanks in advance!

Marvin Rhoads · ‎03-16-2018

I'm not sure at this point. I amended my earlier reply to reflect my doubt and take into account the option you pointed out.

Why not just use an actual traceroute from the next hop inside? Or, failing that, a packet-tracer on the ASA?

Florin Barhala · ‎03-19-2018

Packet tracer indicates that packet is allowed.
Now since this is an ongoing issue and involves customer connectivity I was asked to provide a traceroute so everyone involved can see the hops "before the issue".

Since this is happening on lan_voice (only phones sit there) I am left with:
1. Using ASA for traceroute dst_IP source lan_voice
2. Cable a PC on lan_voice Vlan and run "tracert -d dst_IP"

I had to use the latter but as you might guess this is time consuming hence this entire discussion: traceroute using ASA source IP from one connected interface.

Marvin Rhoads · ‎03-19-2018

You could create an SVI on one of the switches that includes the lan_voice VLAN and traceroute from the switch using that as a source address.

You can also capture traffic from one of the devices having issues to demonstrate that the ASA is correctly handling the traffic.

Florin Barhala · ‎03-19-2018

SVI on the switch might help. As we speak we are passed this, still my need to tshoot the FW at demand is still on.

As I said I will open a TAC case the moment I ll receive access to the service contracts.

M Mohammed · ‎03-21-2018

@Florin Barhala

Please share the end result once you log the case with TAC

Many thanks

MM