Solved: It looks like the issue is

mahesh18 · ‎05-25-2014

Hi Everyone,

Here is setup

Switch -------------------------ASA1----Active

ASA1----Standby

ASA is config as Active/Standby

ASA has dhcp config that provides PC with IP 10.0.0.11

From Switch i can ping my PC

1#ping 10.0.0.11

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/9 ms

Switch info
1#sh ip int brief
Interface              IP-Address      OK? Method Status                Protocol
Vlan1                  10.0.0.4        YES NVRAM up                    up
FastEthernet1/0/1      unassigned      YES unset up                    up
FastEthernet1/0/2      unassigned      YES unset up                    up
FastEthernet1/0/3      unassigned      YES unset down                  down
FastEthernet1/0/4      unassigned      YES unset down                  down
FastEthernet1/0/5      unassigned      YES unset down                  down
FastEthernet1/0/6      unassigned      YES unset down                  down
FastEthernet1/0/7      unassigned      YES unset down                  down
FastEthernet1/0/8      unassigned      YES unset down                  down
FastEthernet1/0/9      unassigned      YES unset down                  down
FastEthernet1/0/10     unassigned      YES unset down                  down
FastEthernet1/0/11     unassigned      YES unset down                  down
FastEthernet1/0/12     unassigned      YES unset down                  down
FastEthernet1/0/13     unassigned      YES unset down                  down
FastEthernet1/0/14     unassigned      YES unset down                  down
FastEthernet1/0/15     unassigned      YES unset down                  down
FastEthernet1/0/16     unassigned      YES unset down                  down
FastEthernet1/0/17     unassigned      YES unset down                  down
FastEthernet1/0/18     unassigned      YES unset down                  down
FastEthernet1/0/19     unassigned      YES unset down                  down
FastEthernet1/0/20     unassigned      YES unset down                  down
FastEthernet1/0/21     unassigned      YES unset down                  down
FastEthernet1/0/22     unassigned      YES unset down                  down
FastEthernet1/0/23     unassigned      YES unset down                  down
FastEthernet1/0/24     unassigned      YES unset down                  down
GigabitEthernet1/0/1   unassigned      YES unset administratively down down
GigabitEthernet1/0/2   unassigned      YES unset administratively down down
Loopback0              10.1.0.1        YES NVRAM up                    up
Loopback1              10.1.1.1        YES NVRAM up                    up
Loopback2              10.1.2.1        YES NVRAM up                    up
Loopback3              10.1.3.1        YES NVRAM up                    up
Loopback4              10.1.4.1        YES NVRAM up                    up
Loopback5              10.1.5.1        YES NVRAM up                    up
Loopback6              10.1.6.1        YES NVRAM up                    up
Loopback7              192.168.50.1    YES NVRAM up                    up
Loopback8              unassigned      YES NVRAM up                    up
R1#

ASA has Vlan 1 as inside interface with IP 10.0.0.1 and has direct connection to switch on vlan 1.

From ASA i can ping the 10.1.0.1

ASA1# ping 10.1.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

From PC i can not ping IP 10.1.0.1

Logs from ASA

May 25 2014 18:40:33: %ASA-6-302020: Built outbound ICMP connection for faddr 10.1.0.1/0 gaddr 10.0.0.11/1 laddr 10.0.0.11/1

May 25 2014 18:40:35: %ASA-6-302021: Teardown ICMP connection for faddr 10.1.0.1/0 gaddr 10.0.0.11/1 laddr 10.0.0.11/1

ASA info

ASA1# sh int
ASA1# sh interface ip brief
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                unassigned      YES unset up                    up
Ethernet0/1                unassigned      YES unset up                    up
Ethernet0/2                unassigned      YES unset up                    up
Ethernet0/3                unassigned      YES unset down                  down
Ethernet0/4                unassigned      YES unset up                    up
Ethernet0/5                unassigned      YES unset up                    up
Ethernet0/6                unassigned      YES unset administratively down down
Ethernet0/7                unassigned      YES unset administratively down down
Internal-Data0/0           unassigned      YES unset up                    up
Internal-Data0/1           unassigned      YES unset up                    up
Vlan1                      10.0.0.1        YES CONFIG up                    up
Vlan2                      96.x.x.x.   YES manual up                    up
Vlan3                      10.12.12.1      YES CONFIG up                    up
Vlan30                     10.30.30.1      YES unset up                    up
Virtual0                   127.1.0.1       YES unset up                    up

Need to know why this ping is not working is this due to NAT also why ASA is looking for loopback IP of switch in outside direction?

Regards

MAhesh

Patrick Moubarak · ‎05-27-2014

It looks like the issue is that PC, switch and ASA are in the same network (10.0.0.0/24)

As far as I know, ASA does not send ICMP redirect messages; you can add a static route on the PC for the network 10.1.0.0 to go directly to switch instead of ASA; that will solve the issue for that PC only.

I think the best practice is to create a routing subnet between the switch and ASA:

PC - SWITCH in VLAN1

SWITCH - ASA in a new VLAN used for routing

that means you have to make the switch your default gateway for VLAN1 and change the IP of the inside interface of the ASA + change the routes...

check this link to understand ICMP redirects:

http://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13714-43.html

other forum posts discuss the same issue:

https://supportforums.cisco.com/discussion/11229301/icmp-redirect

Patrick

View solution in original post

Marius Gunnerud · ‎05-28-2014

The reason patricks suggestion worked is because the switch is also doing routing. So in this case the ping never goes through the firewall but instead directly between the pc and switch. -- Please remember to select a correct answer and rate

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Patrick Moubarak · ‎05-26-2014

Hi Mahesh,

what's your netmask on VLAN1?

you can try from the switch ping 10.0.0.11 source Lo0; does that work?

also please attach show route on ASA and switch (if it is a layer 3 switch)...

Patrick

mahesh18 · ‎05-26-2014

Hi Patrick,

Vlan1 has netmask 255.255.255.0

1#ping 10.0.0.14 source loopback 0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.14, timeout is 2 seconds:
Packet sent with a source address of 10.1.0.1
.....
Success rate is 0 percent (0/5)

Above is ping from Switch to PC IP

Switch is layer 3

1#sh int vlan1
Vlan1 is up, line protocol is up
Hardware is EtherSVI, address is 0011.bb5e.e240 (bia 0011.bb5e.e240)
Internet address is 10.0.0.4/24

Route info

1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.0.0.1 to network 0.0.0.0

     10.0.0.0/24 is subnetted, 8 subnets
C       10.1.3.0 is directly connected, Loopback3
C       10.1.2.0 is directly connected, Loopback2
C       10.1.1.0 is directly connected, Loopback1
C       10.0.0.0 is directly connected, Vlan1
C       10.1.0.0 is directly connected, Loopback0
C       10.1.6.0 is directly connected, Loopback6
C       10.1.5.0 is directly connected, Loopback5
C       10.1.4.0 is directly connected, Loopback4
C    192.168.50.0/24 is directly connected, Loopback7
S*   0.0.0.0/0 [1/0] via 10.0.0.1

ASA1# sh run route
route outside 0.0.0.0 0.0.0.0 96.51.148.1 1
route inside 10.1.0.0 255.255.0.0 10.0.0.4 1
route inside 192.168.50.0 255.255.255.0 10.0.0.4 1

Regards

Mahesh

Marvin Rhoads · ‎05-26-2014

Mahesh,

What's the default gateway for the PC? ("route print" from command prompt if it's a Windows host)

If it's not 10.0.0.1 on the ASA then your ping will fail.

mahesh18 · ‎05-26-2014

Hi Marvin,

PC has default gateway of 10.0.0.1

C:\Users\manveer>route print
===========================================================================
Interface List
25...74 e5 0b 5b e7 89 ......Microsoft Virtual WiFi Miniport Adapter #2
23...74 e5 0b 5b e7 89 ......Microsoft Virtual WiFi Miniport Adapter
21...74 e5 0b 5b e7 88 ......Intel(R) WiFi Link 1000 BGN
13...f0 bf 97 de 4f 48 ......Atheros AR8151 PCI-E Gigabit Ethernet Controller (
NDIS 6.20)
12...94 39 e5 97 60 b5 ......Bluetooth Device (Personal Area Network)
1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface Metric
          0.0.0.0          0.0.0.0         10.0.0.1        10.0.0.14     25
         10.0.0.0    255.255.255.0         On-link         10.0.0.14    281
        10.0.0.14 255.255.255.255         On-link         10.0.0.14    281
       10.0.0.255 255.255.255.255         On-link         10.0.0.14    281
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1 255.255.255.255         On-link         127.0.0.1    306
127.255.255.255 255.255.255.255         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link         10.0.0.14    281
255.255.255.255 255.255.255.255         On-link         127.0.0.1    306
255.255.255.255 255.255.255.255         On-link         10.0.0.14    281
===========================================================================
Persistent Routes:
Network Address          Netmask Gateway Address Metric
          0.0.0.0          0.0.0.0     192.168.98.1 Default
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination      Gateway
1    306 ::1/128                  On-link
21    281 fe80::/64                On-link
21    281 fe80::f54f:db1d:f86:1184/128
                                    On-link
1    306 ff00::/8                 On-link
21    281 ff00::/8                 On-link
===========================================================================
Persistent Routes:
None

C:\Users\manveer>ipconfig

Windows IP Configuration

Wireless LAN adapter Wireless Network Connection 3:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

Wireless LAN adapter Wireless Network Connection 2:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix . :
   Link-local IPv6 Address . . . . . : fe80::f54f:db1d:f86:1184%21
   IPv4 Address. . . . . . . . . . . : 10.0.0.14
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.0.0.1

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

Ethernet adapter Bluetooth Network Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

Regards

Mahesh

Patrick Moubarak · ‎05-26-2014

try removing the persistent default route:

Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 192.168.98.1 Default

mahesh18 · ‎05-26-2014

Delete the persistent route and did ping to 10.1.0.1 still same thing.

Logs from ASA

May 26 2014 15:15:08: %ASA-6-302020: Built outbound ICMP connection for faddr 10.1.0.1/0 gaddr 10.0.0.14/1 laddr 10.0.0.14/1

May 26 2014 15:15:10: %ASA-6-302021: Teardown ICMP connection for faddr 10.1.0.1/0 gaddr 10.0.0.14/1 laddr 10.0.0.14/1

Marvin Rhoads · ‎05-26-2014

I think you are getting asymmetric routing since the switch is the same place your PC is attached.

Your PC pings an address on the 10.1.0.0 network. It sends it to the ASA (default gateway). ASA has a static route to that network so it sends the packet back to the switch. The switch receives the echo request and then creates a reply to the PC. At this point I believe the reply does not go via the ASA but instead tries and fails to go back to the PC via the switch's 10.0.0.4 address since a connected route takes priority over a static route (given the same prefix).

Try adding a static route in the switch to your PC address:

route 10.0.0.14 255.255.255.255 10.0.0.1

That should force the return traffic via the ASA. Make sure you have "same-security-traffic intra-interface" enabled on the ASA.

mahesh18 · ‎05-26-2014

I config static route on switch

1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.0.0.1 to network 0.0.0.0

     10.0.0.0/8 is variably subnetted, 9 subnets, 2 masks
S       10.0.0.14/32 [1/0] via 10.0.0.1
C       10.1.3.0/24 is directly connected, Loopback3
C       10.1.2.0/24 is directly connected, Loopback2
C       10.1.1.0/24 is directly connected, Loopback1
C       10.0.0.0/24 is directly connected, Vlan1
C       10.1.0.0/24 is directly connected, Loopback0
C       10.1.6.0/24 is directly connected, Loopback6
C       10.1.5.0/24 is directly connected, Loopback5
C       10.1.4.0/24 is directly connected, Loopback4
C    192.168.50.0/24 is directly connected, Loopback7
S*   0.0.0.0/0 [1/0] via 10.0.0.1

ASA is configured for same-security-traffic.

Still same thing.

After adding route to switch i can not ping or telnet to switch IP 10.0.0.4 from

my pc.

Marius Gunnerud · ‎05-27-2014

I agree with Marvin that this seems to be an asynchronous routing issue. I do not think adding a static route will help, as connected routes will take precedence over the static route, and you will still have the same asynchronous routing issue.

Trying issuing a packet capture on the ASA for both the ingress and egress interfaces. This should clear up if the return packets are reaching the ASA or not. Post the output here if you require assistance with reading it.

--

Please remember to select a correct answer and rate

--
Please remember to select a correct answer and rate helpful posts

mahesh18 · ‎05-27-2014

Hi MArius,

I config packet capture on inside interface

here is output

ASA1# sh capture capin

4 packets captured

   1: 06:44:46.747169       802.1Q vlan#1 P0 10.0.0.18 > 10.1.0.1: icmp: echo re                                                                                        quest
   2: 06:44:51.627378       802.1Q vlan#1 P0 10.0.0.18 > 10.1.0.1: icmp: echo re                                                                                        quest
   3: 06:44:56.635724       802.1Q vlan#1 P0 10.0.0.18 > 10.1.0.1: icmp: echo re                                                                                        quest
   4: 06:45:01.641995       802.1Q vlan#1 P0 10.0.0.18 > 10.1.0.1: icmp: echo re                                                                                        quest

After this i also config packet capture for outside interface

capture capin interface outside match ip host 10.0.0.18 host 10.1.0.1

ASA1# sh capture capin

12 packets captured

   1: 06:44:46.747169       802.1Q vlan#1 P0 10.0.0.18 > 10.1.0.1: icmp: echo request
   2: 06:44:51.627378       802.1Q vlan#1 P0 10.0.0.18 > 10.1.0.1: icmp: echo request
   3: 06:44:56.635724       802.1Q vlan#1 P0 10.0.0.18 > 10.1.0.1: icmp: echo request
   4: 06:45:01.641995       802.1Q vlan#1 P0 10.0.0.18 > 10.1.0.1: icmp: echo request
   5: 06:46:03.760153       802.1Q vlan#1 P0 10.0.0.18 > 10.1.0.1: icmp: echo request
   6: 06:46:03.760489       802.1Q vlan#2 P0 10.0.0.18 > 10.1.0.1: icmp: echo request
   7: 06:46:08.639340       802.1Q vlan#1 P0 10.0.0.18 > 10.1.0.1: icmp: echo request
   8: 06:46:08.639676       802.1Q vlan#2 P0 10.0.0.18 > 10.1.0.1: icmp: echo request
   9: 06:46:13.636380       802.1Q vlan#1 P0 10.0.0.18 > 10.1.0.1: icmp: echo request
10: 06:46:13.636716       802.1Q vlan#2 P0 10.0.0.18 > 10.1.0.1: icmp: echo request
11: 06:46:18.627775       802.1Q vlan#1 P0 10.0.0.18 > 10.1.0.1: icmp: echo request
12: 06:46:18.628126       802.1Q vlan#2 P0 10.0.0.18 > 10.1.0.1: icmp: echo request

What does the above packet capture show?

Regards

MAhesh

Marius Gunnerud · ‎05-27-2014

This confirms Marvins, and mine, theory that the ASA never sees the return packet from the switch. Then when the PC sends another ICMP packet, the ASA sees that the packet is out of order and drops it as a spoofed packet.

You could configure the ASA for TCP bypass, but it is not a recommended solution and if you do not have a direct requirement to be able to ping or reach the loopback you should not implement it.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_tcpstatebypass.html

--

Please remember to select a correct answer and rate

--
Please remember to select a correct answer and rate helpful posts

mahesh18 · ‎05-27-2014

Hi Marius,

I am trying to understand the packet flow from PC to switch loopback.

Seems as per logs ASA is looking for Switch loopback IP in outside direction right?

May 25 2014 18:40:33: %ASA-6-302020: Built outbound ICMP connection for faddr 10.1.0.1/0 gaddr 10.0.0.11/1 laddr 10.0.0.11/1

May 25 2014 18:40:35: %ASA-6-302021: Teardown ICMP connection for faddr 10.1.0.1/0 gaddr 10.0.0.11/1 laddr 10.0.0.11/1

So ASA is sending packet in outside direction instead of inside right?

As there is no host on outside connection thats the reason ping is not working?

Regards

MAhesh

Patrick Moubarak · ‎05-27-2014

It looks like the issue is that PC, switch and ASA are in the same network (10.0.0.0/24)

As far as I know, ASA does not send ICMP redirect messages; you can add a static route on the PC for the network 10.1.0.0 to go directly to switch instead of ASA; that will solve the issue for that PC only.

I think the best practice is to create a routing subnet between the switch and ASA:

PC - SWITCH in VLAN1

SWITCH - ASA in a new VLAN used for routing

that means you have to make the switch your default gateway for VLAN1 and change the IP of the inside interface of the ASA + change the routes...

check this link to understand ICMP redirects:

http://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13714-43.html

other forum posts discuss the same issue:

https://supportforums.cisco.com/discussion/11229301/icmp-redirect

Patrick

mahesh18 · ‎05-28-2014

Hi Patrick,

when i assigned static route to PC as you said then ping worked fine.

If you can explain me how traffic flows from PC to Switch ?

Learned something new today.Will read about ICMP redirects and will have better understanding then.

Best Regards

MAhesh

Unable to ping loopback IP of switch From PC connected to ASA Inside interface