Network Topology
Problem Scenarios:
- The MTU between the Cisco ASA firewall and Cisco WAN router (RT1) seems like 1020 bytes instead of 1500 bytes.
ASA-FW# ping 10.10.10.2 size 1020 Type escape sequence to abort. Sending 5, 1020-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms ASA-FW# ASA-FW# ping 10.10.10.2 size 1021 Type escape sequence to abort. Sending 5, 1021-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds: ????? Success rate is 0 percent (0/5) ASA-FW# ASA-FW# clear ip audit count ? global Clear global IDS counters interface Clear IDS counters for a specific interface <cr> ASA-FW# clear ip audit count ASA-FW# ASA-FW# sh ip audit count interface outside | in Large 2151 A Large ICMP 0 ASA-FW# ASA-FW# ping 10.10.10.2 size 1021 rep 2 Type escape sequence to abort. Sending 2, 1021-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds: ?? Success rate is 0 percent (0/2) ASA-FW# ASA-FW# sh ip audit count interface outside | in Large 2151 A Large ICMP 2 ASA-FW# ASA-FW# conf t ASA-FW(config)# ip audit signature 2151 disable ASA-FW(config)# end ASA-FW# ASA-FW# ping 10.10.10.2 size 1021 rep 2 Type escape sequence to abort. Sending 2, 1021-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds: !! Success rate is 100 percent (2/2), round-trip min/avg/max = 1/5/10 ms ASA-FW# ASA-FW# ping 10.10.10.2 size 1500 rep 2 Type escape sequence to abort. Sending 2, 1500-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds: !! Success rate is 100 percent (2/2), round-trip min/avg/max = 1/1/1 ms ASA-FW# ping 10.10.10.2 size 1501 rep 2 Type escape sequence to abort. Sending 2, 1501-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds: ?? Success rate is 0 percent (0/2) ASA-FW#
Reference: https://supportforums.cisco.com/docs/DOC-3769
No comments:
Post a Comment