Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
396
Views
5
Helpful
3
Replies

Cisco ASA icmp traffic flow issue for specific sub-interface

netdiver81
Level 1
Level 1

‎04-22-2020 10:07 AM - edited ‎04-22-2020 10:09 AM

Hi,

Trying to troubleshoot an issue in which icmp traffic when originating behind one of the ASA subinterfaces does not go through (or better return) correctly when destination is behind this problematic interface.

 

I originally identified the issue as I was trying to ping from clients behind another sub-interface to this sub-interface clients and I did not get echo replies back even though I added/allowed echo replies back (I see the echo replies counter increase). Other traffic UDP works but this does not require a rule in the opposite direction.

 

What's strange is that when I do a policy trace from behind the problematic interface the destination interface is always identified as the outside interface even though destination address is behind other sub-interfaces on same firewall. It is as if any traffic from behind this problematic interface is forced to the outside interface. (and thus dropped)

 

Any idea why this would happen, all other interfaces seem to be working fine and identifying the destination interface correctly.

 

Thanks

 

Labels:
0 Helpful
3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

‎04-22-2020 02:21 PM

We do not have much detail to work with and that makes it difficult to give good advice. As a start can you tell us if ping from a device on the inside interface to some destination on the outside interface works?

 

As a next step can you tell us about the inside, outside, and problematic interfaces? What are their security levels? Are there security policies configured for these interfaces and the subnets reached through them?

HTH

Rick
0 Helpful

netdiver81
Level 1
Level 1
In response to Richard Burts

‎04-23-2020 05:55 AM

Hi Rick,

It was a missing route-lookup within a NAT that caused this hence why all traffic was going to outside.

Thanks

Richard Burts
Hall of Fame
Hall of Fame
In response to netdiver81

‎04-23-2020 08:51 AM

Thanks for the update. And for the explanation of the problem. I am always glad when someone posts a problem and then finds the solution to their own problem and shares it with the community. A well deserved +5 for you.

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card