03-19-2019 02:04 AM - edited 03-19-2019 02:05 AM
Hi guys,
I have this "common scenario" where ASA drops traceroute traffic.
C:\Windows\system32>tracert -d 10.22.10.63
Tracing route to 10.22.10.63 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 10.22.20.254
2 2 ms 2 ms 2 ms 10.22.25.4
3 * * * Request timed out.
4 1 ms 1 ms 1 ms 10.22.10.63
Obviously the * is on outside ASA interface. Here's the related config:
1. Capture on ASA for dropped traffic
capture cap4 type asp-drop acl-drop [Capturing - 774 bytes]
match icmp any any
4: 10:37:09.632840 10.22.1.62 > 10.22.20.1: icmp: time exceeded in-transit Drop-reason: (acl-drop) Flow is denied by configured rule
5: 10:37:13.346493 10.22.1.62 > 10.22.20.1: icmp: time exceeded in-transit Drop-reason: (acl-drop) Flow is denied by configured rule
6: 10:37:17.346966 10.22.1.62 > 10.22.20.1: icmp: time exceeded in-transit Drop-reason: (acl-drop) Flow is denied by configured rule
2. Interface config and acl-applied
show ip | i 10.22.1.62
Port-channel1.90 outside 10.22.1.62 255.255.255.240 CONFIG
access-group outside_in in interface outside
3. ACL config
sa outside_in | i icmp
access-list outside_in line 10 extended permit icmp any4 any4 log disable (hitcnt=20821163) 0xb47d85da
access-list outside_in line 12 extended permit icmp any4 any4 time-exceeded (hitcnt=0) 0xa0979724
4. ASA ICMP config
show run icmp
icmp unreachable rate-limit 10 burst-size 5
show run policy-map | i icmp
inspect icmp
inspect icmp error
Any idea is welcome!
03-19-2019 11:57 AM
03-20-2019 01:36 AM
03-20-2019 08:55 AM
By default an ASA won't decrement the icmp ttl used by traceroute even if ICMP is otherwise allowed and inspected.
To get the full functionality including the ASA reporting its interface address in the path, you need to add a line to class-default as follows:
ciscoasa(config)# policy-map global_policy ciscoasa(config-pmap)# class class-default ciscoasa(config-pmap-c)# set connection decrement-ttl
Source:
03-20-2019 09:19 AM
03-20-2019 11:43 PM
Thank you guys, but this is not about ASA showing up.
On my original post I mentioned those * * * from traceroute are on the ASA.
There's also the asp-drop acl-drop capture I also shared on the ASA. So the issue is that ASA drops the traceroute...
03-21-2019 02:51 AM
The decrement-ttl will fix the * * * entries assuming everything else is configured correctly.
Your original post shows the ACL entry permitting icmp inbound is currently disabled:
access-list outside_in line 10 extended permit icmp any4 any4 log disable
03-21-2019 04:58 AM
Marvin, I have to disagree: decrement-ttl is present, had it not been present then those * * * should not show up as ASA IP will not be shown. Anyway here's the config:
show run policy-map
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect http
inspect icmp
inspect dns preset_dns_map
inspect icmp error
inspect tftp
class SFR
sfr fail-open
class global-class
flow-export event-type all destination 10.22.10.63
class class-default
user-statistics accounting
set connection decrement-ttl
As for the ACL, the ACE is on aka ENABLED; it's only logging that's disabled.
Thanks,
Florin.
03-25-2019 03:30 AM
03-25-2019 02:02 PM
Hi Florin,
"time exceeded in-transit Drop-reason: (acl-drop) Flow is denied by configured rule"
As per this document:-
03-27-2019 06:45 AM
Hello RJI,
Thanks for the headsup! Ahead of rule 10 there're only Allow rules; I moved it as rule no1&2 and I got the same output.
Review other causes:
03-27-2019 08:09 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide