07-04-2018 03:32 AM - edited 02-21-2020 07:56 AM
Hi
I have deployed ASA on Firepower 4100 series Chassis, configured one of the data interface as a management interface with an IP address. I have connected a laptop directly to the management interface try to ping - unable to ping. Global policy is inspecting icmp.
sh run int et1/5
!
interface Ethernet1/5
management-only
nameif management
security-level 100
ip address 10.10.10.3 255.255.255.0
on the logs the following I see.. I have not enabled ipv6 under management interface as you see above but
%ASA-6-302021: Teardown ICMP connection for faddr ff02::1/0 gaddr fe80::200:ff:fe01:3/0 laddr fe80::200:ff:fe01:3/0 type 134 code 0
Anyone experienced this?
07-04-2018 05:49 AM
These look like Neighbour discovery messages for ICMPv6. Hosts automatically sent solicitation and advertisement messages to peers in a link. Is your machine IPv6 enabled? This could be when it tries to send to the link local address of its peer.
07-04-2018 01:27 PM
Hi Rahul,
Thanks for the reply.
My machine(laptop) is not enable with ipv6, I have assigned ipv4 address to the management interface where I have connected my laptop directly with the same subnet of IP address and tried pinging management ip, not responding.
07-04-2018 02:42 PM
This looks like suspicious for me, have you connected console and able to ping locally in the 4100 and check the interface status, when you connected laptop.
BB
07-05-2018 05:37 AM
07-05-2018 04:21 PM - edited 07-05-2018 05:06 PM
It is possible there is a policy preventing ICMP.
1. Have you added your laptop IP to the SSH/HTTP allow lists on that interface and tried SSH/HTTPS?
2. Have you tried issuing a packet-tracer on this port with ICMP and/or SSH/HTTPS? What were the results?
-A
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide