Thursday, July 12, 2012

The Mysterious Cisco ASA 1020 bytes MTU

Network Topology
Problem Scenarios:
  1. The MTU between the Cisco ASA firewall and Cisco WAN router (RT1) seems like 1020 bytes instead of 1500 bytes.
ASA-FW# ping 10.10.10.2 size 1020
Type escape sequence to abort.
Sending 5, 1020-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA-FW#
ASA-FW# ping 10.10.10.2 size 1021
Type escape sequence to abort.
Sending 5, 1021-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ASA-FW#
ASA-FW# clear ip audit count ?

  global     Clear global IDS counters
  interface  Clear IDS counters for a specific interface
  <cr>
ASA-FW# clear ip audit count
ASA-FW#

ASA-FW# sh ip audit count interface outside | in Large
2151 A Large ICMP                 0
ASA-FW#
ASA-FW# ping 10.10.10.2 size 1021 rep 2
Type escape sequence to abort.
Sending 2, 1021-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
??
Success rate is 0 percent (0/2)
ASA-FW#
ASA-FW# sh ip audit count interface outside | in Large
2151 A Large ICMP                 2
ASA-FW#
ASA-FW# conf t
ASA-FW(config)# ip audit signature 2151 disable
ASA-FW(config)# end
ASA-FW#
ASA-FW# ping 10.10.10.2 size 1021 rep 2
Type escape sequence to abort.
Sending 2, 1021-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
!!
Success rate is 100 percent (2/2), round-trip min/avg/max = 1/5/10 ms
ASA-FW#
ASA-FW# ping 10.10.10.2 size 1500 rep 2
Type escape sequence to abort.
Sending 2, 1500-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
!!
Success rate is 100 percent (2/2), round-trip min/avg/max = 1/1/1 ms
ASA-FW# ping 10.10.10.2 size 1501 rep 2
Type escape sequence to abort.
Sending 2, 1501-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
??
Success rate is 0 percent (0/2)
ASA-FW#


Reference: https://supportforums.cisco.com/docs/DOC-3769
Posted by Yap Chin Hoong at 9:28 AM
Labels: ,

3 comments:

Subscribe to: Post Comments (Atom)