Showing results for 
Search instead for 
Did you mean: 

BGP ROUTING: Troubleshooting lost network packets.


Hi all,

I am currently trying to sort out (with my ISP) whether or not a particular BGP service is configured (using two ASA5506X) correctly. Currently the following is configured:


Currently, from the address I can ping:


From the address I can ping:


I can't ping between the two local networks (eg to On ASA interface for I can see outbound packets to and but no inbound ones. So I reason there are two possibilities:

  • My interface for is dropping packets for any address outside the network
  • The provider has an error in their routing.

So far I have tried:

  • Ensuring there are no ACL's preventing traffic
  • Ensuring there are no NAT rules applying to the interface
  • Using Packet Tracer to see if the ACLs would allow communication in theory.
  • Ensuring ICMP is allowed in the default service class inspection.
  • Ensuring that the config on both devices is identical.
  • Ensuring the routing tables are correct and transferred.
  • Implemented suggestions from my previous thread

Is there are way for me to tell if the packets arriving at are being dropped? Should they be viewable using Packet Capture? Is there another method for seeing if those packets are being dropped? This would be helpful either way as if I can determine the packets are in fact being dropped I can show that to the provider of evidence that my end is setup correctly. 

Happy to clarify any of these or post configs. 

5 Replies 5

Jon Marshall
VIP Community Legend VIP Community Legend
VIP Community Legend


Can you post - 


1) configs of both firewalls


2) routing tables for both firewalls


3) BGP tables for both firewalls


remove any sensitive info from firewall configs before posting. 



Giuseppe Larosa
Hall of Fame Master Hall of Fame Master
Hall of Fame Master

Hello @DStringfield ,

in addition to what @Jon Marshall  has asked I would like to add the following:


>> Should they be viewable using Packet Capture?

Yes you can use packet capture on the ASA and you can specify a filter so that only interesting packets are captured


The command syntax from CLI is similar to the following example:

capture VMTEST interface inside match icmp host any


You need to change the interface name to match the one connected to the provider and the host IP address can be 172.16.10.X


you use

show capture VMTEST to show packets

and to delete a capture

you use

no capture VMTEST


also the capture name can be chosen .


This can allow you to understand if you are facing a unidirectional forwarding plane in the SP network


for a a working network you would see incoming imcp echo packets and outgoing echo replies.


Hope to help



paul driver
VIP Expert VIP Expert
VIP Expert

By default icmp inspection is denied on ASA, so have you tried allowing this?
policy-map global_policy
class inspection_default
inspect icmp


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards


Hi all,


Super frustratingly it ended up being a provider error that took a month to resolve. I really appreciate everyone's help and I learnt a lot during the process if that's at all a reward




Hello @DStringfield ,

nice to know that you have solved your issue and yes also service providers can make errors.


Best Regards



Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers