Re: Unable to Ping VPN ASA Firewall from Backend Server, SNMP Walk Wor

ghufran.siddiqui11 · ‎03-05-2025

Hello,

I'm facing an issue with network connectivity between two firewalls. Here's the setup:

Backend Server IP: 10.96.16.245
Backend Firewall (Cisco ASA): The default gateway for 10.96.16.1
VPN Firewall (Trust IP): 10.96.18.240

Problem:

From the Backend Server (10.96.16.245), I am unable to ping the VPN Firewall (10.96.18.240), though SNMP walk commands successfully reach the firewall.
When capturing packets on the VPN Firewall, I can see both ICMP Echo Request and ICMP Echo Reply packets being exchanged.
However, when I perform a capture on the Backend Firewall (Cisco ASA), only the ICMP Echo Request is visible, and the ICMP Echo Reply does not appear.

Troubleshooting Steps Taken:

SNMP Walk: Works fine between the server and VPN firewall, indicating basic connectivity is not the issue.
ICMP Capture on VPN Firewall: Shows both ICMP request and reply, suggesting the VPN firewall is responding properly.
ICMP Capture on Backend Firewall (Cisco ASA): Shows only the request packets, no reply packets, suggesting the reply may be blocked or not being routed properly by the backend firewall.

Things I’ve Considered:

ACLs / Firewall Rules: There might be specific rules blocking ICMP replies. I’ve verified that no such rules are configured, but I will revisit them to confirm.
Routing: The routing on both firewalls should be configured correctly, but I’m considering possible misconfigurations or asymmetric routing.
NAT / Inspection Issues: There could be a NAT or stateful inspection issue preventing the return ICMP packets from being properly routed or allowed by the backend firewall.

Has anyone encountered this kind of issue before? Any suggestions on things I might have missed or additional logs or captures I should review?

Mark Ftc · ‎03-09-2025

After reviewing the configurations I didn't see anything ASA related that should prevent this ICMP ping flow.

I would next verify the route path between these two ASAs.

The BE-ASA routes traffic destined to 10.96.18.240 to 10.96.116.1. Since you are seeing the ICMP requests on the VPN-ASA I am fairly confident routes are right in that direction.

The VPN-ASA routes traffic destined to 10.96.16.245 to 10.96.18.254. Since you are not seeing any ICMP replies on the ASA-BE from the ASA-VPN, I would suspect those ICMP packets are being lost somewhere en route. The cause could be NAT/ACL/Routing, it just depends on the configurations set on networking devices on and between the 10.96.116.1 and 10.96.18.254 gateways (primarily in the ASA-VPN to ASA-BE direction).

Could you share the route tables for 10.96.116.1 and 10.96.18.254?

Also, I sent you a direct message - please take a look at that when you have a chance!

Marius Gunnerud · ‎03-09-2025

What is between the VPN ASA and BE ASA? Would it be possible to perform a capture or tcpdump on whatever is inbetween to verify further if the icmp packet is exiting the interface towards the BE ASA?

--
Please remember to select a correct answer and rate helpful posts

krmp010608 · ‎03-09-2025

Can you mount the capture on the untrust_v116 interfaces of the ASA xtv-VF-ASA5555X-BEFW to see if the icmp replies are reaching the interfaces?

If you see the ICMP reply on the interfaces, check the ACLs untrust_v116_access_in regarding the ICMP response from the source 10.96.18.240 to the server.

If you do not see the response on the ASA interface, you must validate the intermediate devices and the routing at the ASA level.
xtv-vf-vpn-asa, the route that is applied to reach the destination in the configuration is the following:

route trust 10.96.16.0 255.255.255.0 10.96.18.254 1

Unable to Ping VPN ASA Firewall from Backend Server, SNMP Walk Works

Problem:

Troubleshooting Steps Taken:

Things I’ve Considered: