Solved

Duplicate Pings since router installed

Posted on 2008-10-26
11
2,176 Views
Last Modified: 2013-11-29
Here is my network diagram:

4 local subnets -------->internal router (no Nat, no dynamic routing, very basic fw rule-set -------------->Cisco Adaptive Security Appliance (dynamic NAT for internet Access, static NAT mappings, two active interfaces, one WAN, one LAN).

My routing scheme is extremely simple internally, since no NAT is required internally.  The internal router basically just routes traffic between subnets internally (4 different buildings linked via Telephone company fiber) and anything destined for outside gets handed off to the Cisco firewall.  The firewall has the dynamic NAT rule, and the static mappings configured as well as two routes, one default to our ISP and one that tells it how to get to the internal subnets.

My problem is this; ever since the internal router was installed, I am getting duplicate pings whenever I ping from any linux/unix host inside the network (I am probably getting dupes from the MS hosts as well, but I am told that windows suppresses dupes by default).  My Cisco config is pasted below with public IP's masked


ASA Version 7.0(8)
!
names
dns-guard
!
interface Ethernet0/0
 description ISP interface
 nameif WAN
 security-level 0
 ip address xxx.xxx.243.243 255.255.255.0
!
interface Ethernet0/1
 description LAN interface
 nameif LAN
 security-level 100
 ip address 172.16.200.2 255.255.255.252
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
object-group service shs1 tcp
 port-object range 510 510
access-list WAN_access_in extended permit icmp any any unreachable
access-list WAN_access_in extended permit icmp any any echo-reply
access-list WAN_access_in extended permit icmp any any time-exceeded
access-list WAN_access_in extended permit icmp any host xxx.xxx.243.252
access-list WAN_access_in extended permit tcp any host xxx.xxx.243.253 eq www
access-list WAN_access_in extended permit tcp any host xxx.xxx.243.253 eq 510
access-list WAN_access_in extended permit tcp any host xxx.xxx.243.253 eq pop3
access-list WAN_access_in extended permit icmp any host xxx.xxx.243.252 echo-reply
access-list WAN_access_in extended permit tcp any host xxx.xxx.243.253 eq domain
access-list WAN_access_in extended permit tcp any host xxx.xxx.243.252 eq domain
access-list WAN_access_in extended permit udp any host xxx.xxx.243.252 eq domain
access-list WAN_access_in extended permit icmp any host xxx.xxx.243.251 echo
access-list WAN_access_in extended permit icmp any host xxx.xxx.243.251 echo-reply
access-list WAN_access_in extended permit udp any host xxx.xxx.243.253 eq domain
access-list WAN_access_in extended permit tcp any host xxx.xxx.243.251 eq www
access-list WAN_access_in extended permit tcp any host xxx.xxx.243.251 eq 9513
access-list WAN_access_in extended permit tcp any host xxx.xxx.243.249 eq 5017
access-list WAN_access_in extended permit tcp any host xxx.xxx.243.249 eq 5018
access-list WAN_access_in extended permit tcp any host xxx.xxx.243.249 eq www
access-list WAN_access_in extended permit tcp any host xxx.xxx.243.249 eq ftp
access-list WAN_access_in extended permit tcp any host xxx.xxx.243.249 eq ftp
access-list WAN_access_in extended permit tcp any host xxx.xxx.243.254 eq www
access-list WAN_access_in extended permit icmp any host xxx.xxx.243.249 echo
access-list WAN_access_in extended permit icmp any host xxx.xxx.243.249 echo-reply
access-list WAN_access_in extended permit icmp any host xxx.xxx.243.254 echo-reply
access-list WAN_access_in extended permit tcp any host xxx.xxx.243.254 eq 8080
access-list WAN_access_in extended permit tcp any host xxx.xxx.243.254 eq 407
access-list WAN_access_in extended permit tcp host 170.222.32.141 host xxx.xxx.243.249 eq 5017
access-list WAN_access_in extended permit tcp host 170.222.32.141 host xxx.xxx.243.249 eq 5018
access-list WAN_access_in extended permit tcp host 170.222.32.141 host xxx.xxx.243.249 eq www
access-list WAN_access_in extended permit tcp host 170.222.32.141 host xxx.xxx.243.249 eq ftp
access-list WAN_access_in extended permit tcp host 170.222.32.141 host xxx.xxx.243.249 eq 5021
access-list WAN_access_in extended permit tcp host 159.105.164.52 host xxx.xxx.243.249 eq 5017
access-list WAN_access_in extended permit tcp host 159.105.164.52 host xxx.xxx.243.249 eq 5018
access-list WAN_access_in extended permit tcp host 159.105.164.52 host xxx.xxx.243.249 eq www
access-list WAN_access_in extended permit tcp host 159.105.164.52 host xxx.xxx.243.249 eq ftp
access-list WAN_access_in extended permit tcp any host xxx.xxx.243.254 eq 5071
access-list WAN_access_in extended permit tcp any host xxx.xxx.243.243 eq www
access-list WAN_access_in extended permit tcp any host xxx.xxx.243.243 eq echo
access-list WAN_access_in extended permit icmp any host xxx.xxx.243.243 echo-reply
access-list WAN_access_in extended permit icmp any host xxx.xxx.243.243 echo
access-list WAN_access_in extended permit tcp any host xxx.xxx.243.243 eq 8080
access-list WAN_access_in extended permit tcp any host xxx.xxx.243.243 eq 407
access-list WAN_access_in extended permit tcp any host xxx.xxx.243.247 eq www
access-list WAN_access_in extended permit tcp any host xxx.xxx.243.247 eq 8080
access-list WAN_access_in extended permit tcp any host xxx.xxx.243.247 eq 407
access-list WAN_access_in extended permit tcp any host xxx.xxx.243.247 eq 5071
access-list WAN_access_in extended permit icmp any host xxx.xxx.243.247 echo
access-list WAN_access_in extended permit icmp any host xxx.xxx.243.247 echo-reply
access-list WAN_access_in extended permit tcp 216.234.108.0 255.255.255.0 any eq smtp
access-list WAN_access_in extended permit tcp any host xxx.xxx.243.254 eq 7880
access-list WAN_access_in extended permit tcp any host xxx.xxx.243.248 eq www
access-list WAN_access_in extended permit tcp any host xxx.xxx.243.248 eq https
access-list WAN_access_in extended permit tcp any host xxx.xxx.243.248 eq 3389
access-list WAN_access_in extended permit tcp any host xxx.xxx.243.247 eq 7880
access-list WAN_access_in extended permit tcp host xxx.xxx.109.202 host xxx.xxx.243.250 eq 55887
access-list WAN_access_in extended permit tcp host xxx.xxx.109.23 host xxx.xxx.243.250 eq 55887
access-list WAN_access_in extended permit tcp any host xxx.xxx.243.250 eq 55887
access-list WAN_access_in extended permit tcp any host xxx.xxx.243.247 eq 11222
access-list WAN_access_in extended permit tcp any host xxx.xxx.243.254 eq 11222
access-list WAN_access_in extended permit tcp any host xxx.xxx.243.254 eq 5000
access-list WAN_access_in extended permit tcp any host xxx.xxx.243.247 eq 5000
access-list WAN_access_in extended permit tcp host xxx.xxx.97.87 any eq smtp
access-list WAN_access_in extended permit tcp any host xxx.xxx.99.165 eq www
access-list WAN_access_in extended permit tcp any host xxx.xxx.99.165 eq citrix-ica
access-list WAN_access_in extended permit tcp any host xxx.xxx.99.165 eq 3389
access-list WAN_access_in extended permit tcp any host xxx.xxx.99.165 eq https
access-list WAN_access_in extended permit tcp any host xxx.xxx.99.165 eq 444
access-list WAN_access_in extended permit tcp any host xxx.xxx.99.166 eq 3389
access-list WAN_access_in extended permit tcp any host xxx.xxx.99.166 eq citrix-ica
access-list WAN_access_in extended permit tcp any host xxx.xxx.99.166 eq www
access-list WAN_access_in extended permit tcp any host xxx.xxx.99.166 eq https
access-list WAN_access_in extended permit tcp any host xxx.xxx.243.250 eq 5001
access-list WAN_access_in extended deny ip any any inactive
access-list LAN_access_in extended permit tcp any any
access-list LAN_access_in extended permit udp any any
access-list LAN_access_in extended permit icmp any any
access-list LAN_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu WAN 1500
mtu LAN 1500
mtu management 1500
no failover
icmp permit any WAN
icmp permit any LAN
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (WAN) 1 xxx.xxx.243.244
nat (LAN) 1 0.0.0.0 0.0.0.0
static (LAN,WAN) xxx.xxx.243.246 192.168.10.4 netmask 255.255.255.255
static (LAN,WAN) xxx.xxx.243.247 192.168.10.5 netmask 255.255.255.255
static (LAN,WAN) xxx.xxx.243.248 192.168.10.6 netmask 255.255.255.255
static (LAN,WAN) xxx.xxx.243.249 192.168.10.7 netmask 255.255.255.255
static (LAN,WAN) xxx.xxx.243.250 192.168.10.8 netmask 255.255.255.255
static (LAN,WAN) xxx.xxx.243.251 192.168.10.9 netmask 255.255.255.255
static (LAN,WAN) xxx.xxx.243.252 192.168.10.10 netmask 255.255.255.255
static (LAN,WAN) xxx.xxx.243.253 192.168.10.11 netmask 255.255.255.255
static (LAN,WAN) xxx.xxx.243.254 192.168.10.12 netmask 255.255.255.255
static (LAN,WAN) xxx.xxx.99.162 192.168.10.247 netmask 255.255.255.255
static (LAN,WAN) xxx.xxx.99.163 192.168.10.248 netmask 255.255.255.255
static (LAN,WAN) xxx.xxx.99.164 192.168.10.249 netmask 255.255.255.255
static (LAN,WAN) xxx.xxx.99.165 192.168.10.250 netmask 255.255.255.255
static (LAN,WAN) xxx.xxx.99.166 192.168.11.2 netmask 255.255.255.255
static (LAN,WAN) xxx.xxx.243.245 192.168.10.3 netmask 255.255.255.255
access-group WAN_access_in in interface WAN
access-group LAN_access_in in interface LAN
route WAN 0.0.0.0 0.0.0.0 xxx.xxx.243.1 1
route LAN 192.168.0.0 255.255.0.0 172.16.200.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username apc11 password Eq3QGLY encrypted privilege 15
username spring password gQ8AG6 encrypted privilege 15
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh xxx.xxx219.253 255.255.255.255 WAN
ssh 192.168.11.248 255.255.255.248 LAN
ssh 172.16.200.1 255.255.255.255 LAN
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 5
console timeout 0
management-access management
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect pptp
  inspect dns
  inspect http
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command vpn-sessiondb
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command uauth
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command vpn-sessiondb
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
Cryptochecksum:52c64a67a17f586675534ae478103d02
: end


I've been scratching my head on this one for awhile.  I am about to start turning to hardware fixes (maybe bad port on the internal router?  The internal router is a Mikrotik based powerouter.  The only config on that router is literally the default route pointing to the Cisco firewall and there are a couple of firewall INPUT rules to prevent un-authorized access to the mikrotik itself, and to prevent un-authorized internal access to the cisco.  Other than that it is a blank configuration.

Any help will be appreciated.

Thank you,

Craig
0
Comment
Question by:CraigRuss
  • 5
  • 4
  • 2
11 Comments
 
LVL 2

Expert Comment

by:JimmyLarsson
Comment Utility
You should definitaly start by upgrading your ASA to a newer 7.x-version. The 7.0x-versions were very unstable..

Br Jimmy
0
 

Author Comment

by:CraigRuss
Comment Utility
I will certainly do that asap, however, I don't think that is the issue and that is because the previous cisco appliance (a PIX, that was just replaced because of a hardware problem) exhibited similar behaviour so I am fairly certain the problem lies in the interaction between the router and the Cisco appliance.  I am starting to think that it is some kind of a problem with the physical port on the internal router but I was kind of hoping that there was a configuration fix because this equipment is a hike for me to get to.
0
 
LVL 12

Expert Comment

by:hfraser
Comment Utility
Try doing the ping, then check the arp cache to see the mac addresses that have responded. I'd suggest trying to ping a node on the same subnet and a routed subnet. It sounds like the router may be doing proxy-arp, but it shouldn't result in duplicates.
0
 

Author Comment

by:CraigRuss
Comment Utility
I'm sorry, I wasn't clear in the original question.  The only pings that are coming back duplicated are pings that are off of my internal networks.  For instance a ping from 192.168.10.16/23 to 192.168.2.10/23 does not get duplicated but a ping from 192.168.10.16/23 to say, yahoo.com comes back duped; so it is only pings that are leaving my network and traversing the cisco that are duped
0
 
LVL 12

Expert Comment

by:hfraser
Comment Utility
Try the ping and arp combination and to see who's responding. If it's from internal, it will be either a node on your subnet or the router's interface on your subnet. If it's the Cisco appliance, it wil be its MAC.

At the very least, that will identify if a machine on your lan is responding somehow. If it's coming from your internal router, you'll have to query its tables to find out who's connected where. An snmpwalk will do this if there's a lot of machines, or a simple walkaround if not.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:CraigRuss
Comment Utility
I've attached a basic diagram of the network layout.  The firewall rules on the internal router are as follows:
Allow input to internal router from 192.168.11.248/255.255.255.248
Allow forward to cisco from 192.168.11.248/255.255.255.248
Allow forward anywhere else from anywhere else (ie, local network traffic is allowed to move freely, local traffic destined for off of the local is controlled purely by the cisco)

routing on the internal is static; all of the direct attached networks are default and traffic flows internally fine; there is one static route as follows 0.0.0.0/0 172.16.200.2.

Pings from any of the internal LANs to any other internal LAN, no problem.  Pings from an internal LAN to anywhere else, get duped.  Ping from the router interface directly to the Cisco, also get duped.  I've narrowed it down to an interaction between the internal router and the cisco but for the life of me, I can't figure out what is causing it.  Could this be a hardware port issue?

Hope this additional info jogs something in someone head somewhere.

Thanks again.

Craig
client.jpg
0
 
LVL 2

Expert Comment

by:JimmyLarsson
Comment Utility
What do you mean by duplicate pings? Can you post some output or screen dump? Exactly what happens?

Br Jimmy
0
 
LVL 12

Accepted Solution

by:
hfraser earned 500 total points
Comment Utility
It sounds like you've isolated it to an issue with the Cisco firewall, assuming your ping from the router is actually being routed to the Cisco firewall. I'm at a loss to explain this, so my next step would be to put a sniffer inside the firewall, and outside the firewall, and wach pings to see what's happening. There are lots of tools to do this (Wireshark is among the best) if you don't have anything available.
0
 

Author Comment

by:CraigRuss
Comment Utility
When I say duplicate pings, I mean I send 4 packets out and I get back 8.  So the output comes back and says 4 packets sent, 8 packets received, 100% gain.

As far as a packet sniffer, yes, I'm going to try that, unfortunately, this client is FAR from where I am so I'm kind of in a position of having to rely on them for any physical work on site, ie, plugging a packet sniffing machine(s) onto the internal and external nets.
0
 
LVL 12

Expert Comment

by:hfraser
Comment Utility
While waiting to get a sniffer installed, are you able to do an snmpwalk of the Cisco firewall? It might provide some insight about what the firewall sees. If you can, do a ping  first then do the walk.
0
 

Author Comment

by:CraigRuss
Comment Utility
ended up being a problem on the ISP side.  they resolved and problem closed
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now