• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1406
  • Last Modified:

Unable to ping/telnet Remote Cisco ASA 5510

Hi,

I have a ASA 5510 at a remote site and  ASA 5505 at our end. We were able to ping and monitor the remote location from our end and there were no problems initially. Recently, the ISP at the remote location was changed and we had updated the ASA rules, access list with the new public IP. The tunnel is up and working fine, but we are unable to ping or telnet the remote ASA. We are able to ping the servers, switches and all othert devices at the remote location. Except for the ASA 5510 at the remote location.

Please help as Im unable to monitor the ASA with my monitoring tool.

0
Maverickgoose
Asked:
Maverickgoose
  • 5
  • 5
1 Solution
 
Ernie BeekExpertCommented:
Are you sure nothing else was changed in the config?
Thinking about the command management-access, ssh x.x.x.x inside, etc.
0
 
MikeKaneCommented:
Can you run a DIFF between the old and new configs just to be sure nothing has changed.    

At the remote site, do you have access to the ASA logs?   If the traffic is dropped, the syslogs should reflect that.    (note, if you have access to internal hosts, you could ssh to one of those then ssh into ASA through it.  ).  

0
 
MaverickgooseAuthor Commented:
Hi MikeKane,

The ASA logs shows that ICMP connection establishment and at the same time shows the Teardown as well. Im able to telnet the ASA from the LAN in the remote location.

Also in the logs, it shows that the ICMP packets have reached the ASA but there is no reply.

 Debug ICMP log in Remote ASA
This log shows that packets from the monitoring server reaching the remote ASA but there is no reply.
Please let me know if you need more information.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
MikeKaneCommented:
Did you run the Diff between the 2 configs?    

Also at the home office, perhaps you only allowed icmp from the original IP and not the new IP?    

On the ASA at the remote site, on the CLI, do a SHOW LOGGING during the attempts and see if any packets are reported dropped.

0
 
MaverickgooseAuthor Commented:
Hi Mikekane,

The  configurations on both sides were double checked and compared . It was found that the old configurations and the new one are the same , and nothing has changed .

At the Home ASA , IPs were changed to new ones and it was allowed to pass through the ASA

When logging was done at the remote ASA with a continuos ping from Home end  , the following results were obtained which clearly shows the teardown of ICMP connections at the Remote ASA

May 04 2011 07:31:29 PRL-FW-INT-01 : %ASA-6-302020: Built inbound ICMP connection for faddr 10.254.254.72/512 gaddr192.168.0.4/0 laddr  192.168.0.4/0

May 04 2011 07:31:31 PRL-FW-INT-01 : %ASA-6-302021: Teardown ICMP connection for faddr 10.254.254.72/512
gaddr 192.168.0.4/0 laddr 192.168.0.4/0


What could be the possible problem , Mikekane ?


0
 
MikeKaneCommented:
Do you allow any any for icmp echo?    Does the other ASA show any issues / dropped packets?
0
 
MaverickgooseAuthor Commented:
Allowing any any ICMP echo that you are mentioning to , Is that for the outside interface or for the inside interface of the Remote ASA ? We were trying to ping the inside interface .

Yes , the packets are being dropped at the Remote ASA .
0
 
MikeKaneCommented:
IF this is what you see in the syslog:

May 04 2011 07:31:29 PRL-FW-INT-01 : %ASA-6-302020: Built inbound ICMP connection for faddr 10.254.254.72/512 gaddr192.168.0.4/0 laddr  192.168.0.4/0
May 04 2011 07:31:31 PRL-FW-INT-01 : %ASA-6-302021: Teardown ICMP connection for faddr 10.254.254.72/512
gaddr 192.168.0.4/0 laddr 192.168.0.4/0

Then it doesn't look like packets are being dropped at this remote location.   Did you look at the originating location to see if the return echos are being dropped by any chance.  

if you have telnet active, try a telnet session to that internal IP.    See what that syslog shows.   What results here?  

If neither of these yields any clues, you might want to run a packet capture through ASDM on each end to see if where the return packets are going....



0
 
MaverickgooseAuthor Commented:
Hi MikeKane,

Sorry for the delay in replying.
I'm unable to telnet to the internal IP as well. Please let me know whether you would require the configurations of the ASA for troubleshooting.

0
 
MikeKaneCommented:
Telnet may be disabled, try an SSH sesison to that internal address.  
0
 
MaverickgooseAuthor Commented:
Not provided with the right solution. We had to add the public ip in the monitoring tool for getting this resolved.
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now