ASA Troubleshooting: Easy way to determine an interface's next hop

This applies to any ASA--any version.

I'm interested... When troubleshooting, what's an easy way to find the next hop IP address? For example, if you need to ping the upstream device, how do you know what the address is?

I know you can do a sh route, but you won't see the next hop for directly connected interfaces.

I also looked at sh int, but only the interface's IP and subnet mask are listed there.

Finally, sh arp helps, but if there are multiple addresses, how do you know which one is set as the next hop on that subnet/interface?

Anyone know what I'm missing?


Thanks in advance...
LVL 3
ArchiTech89IT Security EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pete LongTechnical ConsultantCommented:
You want

show cdp nei

but its not supported on ASA <curses>, you are asking for 'next hop' so you are taking about layer 3 (you mentioned arp but thats layer 2?)

sh RUN route

is your best bet, (unless you are using dynamic routing then 'show route'

Pete
ArchiTech89IT Security EngineerAuthor Commented:
Yeah, talking about layer 3. ARP shows the map of layer 2 MAC addresses to layer 3 IP addresses--that's why I mentioned it.

sh run route only shows static , as you know. But if the interface is directly connected, I won't see the next hop--it'll just say that the route along with mask is "directly connected."
giltjrCommented:
If I understand what you are saying the "next" hop would be the host that owns that IP address.  For an interface to be directly connected it is on the same subnet as the destination host.  When the source and destination IP address are on the same subnet, the "next hop" is the destination.  At least from a L3 point of view.

At the  L2 view, there could be one or more switches in between the two hosts.  In that case show cdp nei (as Pete Long suggested) will MIGHT show you the next L2 device the Ethernet frame will be passed to.  This will only work if all the switches are configured to use cdp.
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

ArchiTech89IT Security EngineerAuthor Commented:
Hi giltjr,

It doesn't matter to me what the hostname of the next hop is (maybe it does after the fact) -- just the IP address. I really haven't found a reliable way to determine this for ASAs (or IOS devices not using CDP), though it seems straightforward enough.

The question refers to next hop by routing -- I'm not worried about next hops in layer 2. Usually, such interfaces have a /30 or a /29 with the max number of hosts at 2 for the former, and 6 for the latter. In the case of a /30, next hop would be simple deduction. But with a /29, on through even a /24 or whatever, it's no longer a simple matter to know what the remote (next hop) interface was assigned.

THIS is the information I'm hoping to find a way to easily figure out. So far, no luck...


ArchiTech89
giltjrCommented:
If you are worried about L3, IP address, the next hop is in your device's routing table 99.999% of the time.  So all you need to do is look at your devices routing table.
giltjrCommented:
To try and clarify my attempt to describe my answer to your statment:

   "But if the interface is directly connected, I won't see the next hop--it'll just say that the route along with mask is "directly connected." "

When you see "directly connected" that means your device has an IP address on the same subnet as the target device.  When you are on the same subnet, there is no "routing."  Meaning you don't forward the packet to another device, you send the packet directly to the host that owns the destination IP address.  So the "next hop" is the destination host.
ArchiTech89IT Security EngineerAuthor Commented:
Response to #1 - It's not in the route table if it's directly connected. And that's exactly the position I find myself in...
Response to #2 - Exactly. And that's the circumstance I described above. If it's a /30, simple deduction will solve the question. If it's a /29 or less, what's the quickest way to figure it out? In essence,

Q. HOW do you find out what the IP address for the next hop is? (Which is essentially what the original question was.) It seems like this would be a common need, but there doesn't seem to be a clear way to determine it...

What I'm thinking would have to be done, would be to do an ARP table lookup, and determine if any of the IPs fit with the IP address / subnet mask that's configured. So if there was a /29 (6 hosts available) and I use one from that subnet on an ASA interface, I should be able to tell which of the IPs from the ARP cache fit in that subnet. Am I on the right track here?

But of course, that's a pretty involved and hence the question whether there was an easy, straightforward way.


Thanks...
giltjrCommented:
There is a clear, easy, and straightforward way.   Do it the same way the IP stack does it.  Look it up in the routing table.  Period.
ArchiTech89IT Security EngineerAuthor Commented:
Do you have commands for that? And what about directly connected interfaces that aren't routed (as you yourself described)?

Cheers!
giltjrCommented:
First, I'm not sure you understand what "directly connected" means, which means you have a interface/IP address on the same subnet as the destination host.  Which mean you don't need to route to that host you can communicate directly to it.

So say your firewall has two interfaces.  One  that has the ip address 10.22.3.5 mask of 255.255.255.0 (a.k.a. /24)   The other has the IP address of 172.16.22.5 and subnet mask of 255.255.255.0

 Now say you need to connect/talk to  the host 10.22.3.56.  When you look at the routing table you will see that 10.22.3.0/24 "directly connected" because your firewall is on that same subnet.  Since that host is on the same IP subnet as your firewall so you are "directly connected" to it (from a L3/IP view), so the "next hop" is 10.22.3.56.  No router needs to get involved.  Now the firewall does do a route table lookup and that is how it finds out it's "directly connected."

Now say you need to talk/connect to 10.33.16.43.   Well that host is not in the 10.22.3.0/24 network nor is it in the 172.16.22.0/24 network.  So you must go through a router/gateway to it.    So when you look at the routing table you will need to figure out which route entry is the best fit for the network 172.16.22.0/24 and that will tell you which next hop router/gateway you need to route the packet through.

On the ASA you can do a show route to see the whole routing table and then you need to find the best match for the destination IP address.  As long as your routing table is fairly small this should not be too difficult.

I don't think the ASA supports "show route x.x.x.x" where x.x.x.x is the destination IP address (as some devices do), but at one time you could do "show route [interface] x.x.x.x" where [interface] is the name of a specific interface and x.x.x.x is the destination IP address.  This would show you the specific route for the IP address x.x.x.x.  As it has been a long time since I did anything with a Cisco firewall (it was still PIX) I can't remember exactly what you would see when you do a "show route interface x.x.x.x" on a interface that did not have a specific route for that host/network and the default route was not on that same interface.

Hopefully there are no terrible misspelling errors or really bad grammatical errors that confuse the issue.  Not really great a spelling or grammar.
giltjrCommented:
Did a check and it appears that ASA may support show route x.x.x.x, so that should make things easier.  The doc implies this, but I don't have ASA to test it.

I also remembered we still have 1 PIX as were I work.  If you do show route interface x.x.x.x and there is no route on that interface for the IP address specific it displays nothing, so I am assuming that ASA does the same thing.
Pete LongTechnical ConsultantCommented:
If you are directly connected then there is no route or next hop (you are now at layer 2 we don't use the terminology 'hop' any more) - you are at layer 2 - you can look at the ARP table - and see if the destination IP is sharing a mac address with multiple IPs, if it is you are going though a switch you need to go to that switch and keep repeating the process until your target is the sole mac address on one interface.
ArchiTech89IT Security EngineerAuthor Commented:
A "directly connected" interface simply means that, in the routing table, there is an interface on the device whose IP address is configured as one end of the connection on one or more routers over a specific subnet with a specific mask.

For example, I might have a interface which connects to another device over MPLS or Frame Relay (or Ten GB Ethernet) or whatever. And say that the IP address on my end is 186.186.186.1, and it's a /30 (255.255.255.252), meaning only 4 IP addresses in the subnet, and only 2 IPs that can be used for hosts. (186.186.186.0 is the address of the network, and 186.186.186.3 would be the broadcast address, leaving only 186.186.186.1 and 186.186.186.2 as available host IPs.

In this case, it's pretty easy to find the "next hop" of the remote device -- simple deduction would say if there are only 2 available addresses, and one is already taken, then the only one left would have to be the next hop and the IP address of the remote interface my device is communicating with. So far so good?

MY PROBLEM consists of the circumstance when the IP address of my devices sits on a subnet with MORE THAN TWO POSSIBLE HOSTS, such as a /29, which has 6 possible hosts (eight total; minus one for the network address; minus another for the broadcast address; leaving 6 available IP addresses), or even a /28 with 14 possible, and so on on down the mask possibilities.

So now, I'm confused that you talk about a host device as representing the "next hop". A "hop" appears as a stop along the way for routed traffic. A host cannot represent a "hop" (unless it's configured as a router). So your elaboration/example doesn't qualify as any kind of an answer to the original question.

As far as I can tell, sh route in any form I am aware of isn't capable of telling me what the next hop on a particular interface is.

And that's what I want to know...


Cheers!
ArchiTech89IT Security EngineerAuthor Commented:
@Pete Long -- You appear to be reading the confused replier, not the original post.

From the original:
When troubleshooting, what's an easy way to find the next hop IP address? For example, if you need to ping the upstream device, how do you know what the address is?
An "upstream device" isn't a host.

In response to your comment:
If you are directly connected then there is no route or next hop.
That's false. If it were true, then there would be no way to route further on any routing device, including a firewall.

Are you saying that if I have a direct connection to my ISP, I can't route through it? I can only get to the devices on that subnet only? And if so, and it has a subnet mask of /30, that would mean I can only get to ONE DEVICE on that subnet and no where else?

Sorry, that doesn't hold water -- it's not even in the ball park... :-(


Cheers!

P.S. I never asked for a MAC address -- layer two. I want to know the next hop which is layer 3, the IP protocol.
ArchiTech89IT Security EngineerAuthor Commented:
Just for grins, here's the partial output of a sh route command on a Cisco ASA:
C        192.168.25.0 255.255.255.248 is directly connected, dmx
L        192.168.25.1 255.255.255.255 is directly connected, dmx
The "C" represents "connected"; the L "local". And in the case of an ASA, it also shows the named interface (in this case, "dmx", which has been assigned to an interface like Gi0/8, or whatever).

Note that the network is listed first (x.x.x.0/29, which is another way of saying 255.255.255.248), then the actual IP address of the interface on this side is listed along with a /32 subnet mask, meaning only this IP address and none other -- no range of addresses.
giltjrCommented:
I'm not trying to be condescending.  I don't think you actually understood what you think you know.

"Are you saying that if I have a direct connection to my ISP, I can't route through it? I can only get to the devices on that subnet only? And if so, and it has a subnet mask of /30, that would mean I can only get to ONE DEVICE on that subnet and no where else?"

NO, NO, NO and I have never said that.  If you have route statement that points to your ISP's address, then you can route through your ISP.  

What I have said is that on a directly connected network you don't ROUTE, you talk directly to that IP address.  
I think the problem is you don't understand routing, nor do you understand the interaction between L3 (IP) and L2 (whatever it maybe).


So lets try this.  Say you have a /30 from your isp and your address is 10.1.1.1 and their address is 10.1.1.2.  So you would see

          C        10.1.1.0 255.255.255.248 is directly connected, dmx

Now say you need to connect to 10.1.1.2, you look at the routing table you see it is directly connected.  So NO routing involved.  You get its L2 address and you put it's L2 address in the L2 FRAME, and you put 10.1.1.2 in the destination address of the IP  packet.


Now say you want to talk to a host on the subnet 10.20.20.0/24 and that subnet is connected to your ISP and so you code a static route to 10.20.20.0/24 that says you need to route through 10.1.1.2.  So when you do a show route you would see something like

           S         10.20.20.0 255.255.255.0 via 10.1.1.2

So you you now know that to get to any host in the 10.20.20.0/24 subnet your next hop is 10.1.1.2.   Here is where I think you are  getting confused. When you route you don't talk to an IP address (L3) you talk to a L2 address and forward the IP packet to next hop using it's L2 address.

So say you want to talk to 10.20.20.34.  You now know you need to route it through 10.1.1.2.  So you look up 10.1.1.2's L2 address, you put that address as the destination address in the L2 FRAME, but you put IP address 10.20.20.34 as the destination IP address in the IP packet (L3).  Now you send the IP packet, which is inside the L2 FRAME to the next hop, which happens to be 10.1.1.2.

When you route, you are not talking to the next HOP at the L3 level, you talk to it at the L2 level.
Pete LongTechnical ConsultantCommented:
>>An "upstream device" isn't a host.

My terminology may have been misleading, (my apologies,) by host I mean a network node with a layer 3 address (machine/server/SVI/routed port etc.)

>>In response to your comment:
>>>>>If you are directly connected then there is no route or next hop.
>>That's false. If it were true, then there would be no way to route further on any routing device, including a firewall.

No its true bud!! Imagine you have a DMZ - thats a separate network that hangs off the firewall, there might be some servers in it even a switch, but they are in the same network and you are directly connected to it, so if you have to 'route' traffic for that DMZ network, the firewall will ARP out of the DMZ network (because it knows from its ROUTING table that's directly connected,) and say 'who has who has 10.1.1.1" (for example) and that host would reply and the firewall would SEND (not route because now we are at 'data link layer' not, 'networking layer') the traffic to it.

I can see where the confusion lays - if you're not from a networking background if looks like the firewalls ROUTING the traffic to a host in the DMZ but it's NOT! It routes it to the last point it knows about, (it's own interface,) then routing STOPS, and it behaves like any network that has no default gateway/default route, (a network without a default gateway/default route cant route!)

Hope that makes more sense :)

Pete

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.