24-4
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 24 Troubleshooting Connections and Resources
Testing Your Configuration
Figure 24-2 Ping Failure at the ASA Interface
If the ping reaches the ASA, and it responds, debugging messages similar to the following appear:
ICMP echo reply (len 32 id 1 seq 256) 209.165.201.1 > 209.165.201.2
ICMP echo request (len 32 id 1 seq 512) 209.165.201.2 > 209.165.201.1
If the ping reply does not return to the router, then a switch loop or redundant IP addresses may exist
(see Figure 24-3).
Figure 24-3 Ping Failure Because of IP Addressing Problems
Step 3
Ping each ASA interface from a remote host. For transparent mode, ping the management IP address.
This test checks whether the directly connected router can route the packet between the host and the
ASA, and whether the ASA can correctly route the packet back to the host.
A ping might fail if the ASA does not have a return route to the host through the intermediate router (see
Figure 24-4). In this case, the debugging messages show that the ping was successful, but syslog
message 110001 appears, indicating a routing failure has occurred.
Figure 24-4 Ping Failure Because the ASA Has No Return Route
Ping
Router
Host
?
ASA
330858
192.168.1.1192.168.1.2
192.168.1.2
Ping
Router
Security
Appliance
Host
126696
Ping
ASA
Router
330860