Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
476
Views
0
Helpful
2
Replies

ASA to ASA Site2Site Traceroute

Lee Dress
Level 1
Level 1

‎04-22-2014 08:51 AM - edited ‎03-04-2019 10:50 PM

Hey folks,

We are converting our offices from MPLS to VPN Site2Site tunnels.

the tunnels are all operating properly with all traffic going in both directions.

Our issue is with Traceroute between sites.

On MPLS, everything replies during a traceroute. Between the ASA devices, I can get the "internal" one (local to the site) to respond, but not the "external" one (at the far end)

I have added the following according to what I can find on the internet about this issue:

 

access-list outside_access_in extended permit icmp any any time-exceeded

access-list outside_access_in remark ICMP type 3 for Cisco and Linux

access-list outside_access_in extended permit icmp any any unreachable

access-group outside_access_in in interface outside

then:

policy-map global_policy

class class-default

set connection decrement-ttl

and:

icmp unreachable rate-limit 10 burst-size 5

 

The issue I end up with is that the remote ASA doesn't show up in the list

See this trace:

tracert 192.168.26.11

  1    <1 ms    <1 ms    <1 ms  mwspcoresw1.mycompany.com [192.168.3.251]
  2    <1 ms    <1 ms    <1 ms  router.mycompany.com [192.168.3.253]
  3    <1 ms    <1 ms    <1 ms  asa_inside.mycompany.com [172.16.100.2]
  4     *        *        *     Request timed out.
  5    84 ms    86 ms    83 ms  192.168.26.11

 

I'm assuming the request timed out is the remote end ASA.

it happens exactly the same way from either site

any ideas?

Labels:
0 Helpful
2 Replies 2

luckymike33
Level 1
Level 1

‎04-23-2014 04:09 AM

Hi Idress,

 

The problem is the ASA doesn't behave exactly like a router when it comes to traceroute, because it doesn't decrement the icmp ttl, it therefore doesn't trigger an icmp-time exceeded.

 

Under the global policy, you need to enter the following command

 

class class-default

  set connection decrement-ttl

 

Very best wishes

 

Mike

0 Helpful

Lee Dress
Level 1
Level 1
In response to luckymike33

‎04-23-2014 07:36 AM

set connection decrement-ttl is part of my config.

the local ASA responds, just not the remote one.

it happens in both directions.  from NJ to remote, or remote to NJ. the "local" asa responds, but not the remote one.

 1     1 ms    <1 ms    <1 ms  nj_coresw [192.168.3.251]
 2    <1 ms    <1 ms    <1 ms  nj_router [192.168.3.253]
 3    <1 ms    <1 ms    <1 ms  nj_asa_inside [172.16.100.2]
 4     *        *        *     Request timed out. <--I assume the is the remote ASA
 5   143 ms   139 ms   139 ms  192.168.25.11 <-- this is what I was trying to trace to.

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card