Cisco ASA5005 and Pathping

Hello all.

I have run into an issue that has me scratching my head and wanted to get the input of others more knowledgeable.

Basically, whenever I try to run a pathping from a workstation on my internal network, it bombs out at the ASA5505 and will not travel any further. Traceroute works fine and ping works fine, but pathping fails.

I assumed it had to be an icmp blocking issue and for testing purposes, allowed all icmp traffic inside and outside, and still received a failure at the ASA5505.

What could I be overlooking or missing?

output below
[code:1]Tracing route to google.com [74.125.67.100]
over a maximum of 30 hops:
0 workstation.domain.local [192.168.1.18]
1 * * *
Computing statistics for 0 seconds...
Source to Here This Node/Link
Hop RTT Lost/Sent = Pct Lost/Sent = Pct Address
0 workstation.domain.local [192.16
8.1.18]

Trace complete.[/code:1]

Correct me if I'm wrong, the output you posted looks like been done with traceroute on a cisco device. Am I write?

If yes, then could you show us the output of both tracert and pathping from a workstation?

That was a pathping from a workstation, here is a tracert from a workstation

[code:1]C:\Windows\system32>tracert google.com

Tracing route to google.com [74.125.45.100]
over a maximum of 30 hops:

1 * * * Request timed out.
2 8 ms 9 ms 9 ms ge10-0-4-oahuhimili-gsr1.hawaii.rr.com [24.25.22
5.181]
3 8 ms 9 ms 9 ms ge-2-0-0-oahuhimili-rtr1.hawaii.rr.com [24.25.22
4.138]
4 59 ms 58 ms 60 ms xe-4-0-3-tustca1-rtr1.socal.rr.com [24.25.230.13
4]
5 164 ms 59 ms 60 ms ae-5-0.cr0.lax30.tbone.rr.com [66.109.6.64]
6 78 ms 61 ms 63 ms ae-1-0.pr0.lax10.tbone.rr.com [66.109.6.131]
7 62 ms 61 ms 63 ms 72.14.197.157
8 62 ms 101 ms 65 ms 216.239.46.180
9 114 ms 113 ms 113 ms 216.239.43.125
10 114 ms 198 ms 114 ms 72.14.232.213
11 115 ms 114 ms 128 ms 209.85.253.145
12 115 ms 115 ms 115 ms yx-in-f100.google.com [74.125.45.100]

Trace complete.[/code:1]

and here is the pathping again.
[code:1]C:\Windows\system32>pathping google.com

Tracing route to google.com [74.125.67.100]
over a maximum of 30 hops:
0 workstation.domain.local [192.168.1.18]
1 * * *
Computing statistics for 0 seconds...
Source to Here This Node/Link
Hop RTT Lost/Sent = Pct Lost/Sent = Pct Address
0 workstation.domain.local.local [192.16
8.1.18]

Trace complete.[/code:1]

and a Ping to round it out

[code:1]C:\Windows\system32>ping google.com

Pinging google.com [74.125.67.100] with 32 bytes of data:
Reply from 74.125.67.100: bytes=32 time=115ms TTL=51
Reply from 74.125.67.100: bytes=32 time=116ms TTL=51
Reply from 74.125.67.100: bytes=32 time=118ms TTL=51
Reply from 74.125.67.100: bytes=32 time=116ms TTL=51

Ping statistics for 74.125.67.100:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 115ms, Maximum = 118ms, Average = 116ms[/code:1]

Sorry, I must be going blind

The only thing I can think of to explain this is that pathping stops pinging further hops once it reaches a timed out hop.

Have a look at the first hop of the tracert output. It shows Request timed out, this is probably your ASA which is not configured to reply with a "Time Exceeded Message" when the Time to Live value reaches zero. The ASA is simply dropping the packet without informing the workstation. There's nothing seriously wrong about that. But the effect is that pathping is programmed to stop progressing if it doesn't get the "Time Exceeded Message", tracert on the other hand continues pinging farther hosts (with higher Time to Live values).

Thats as far as I can get, Any one else with better ideas, please join the talk.

That makes sense.

Now to see if I can figure out how to tell it to respond with time-exceeded. I do have the rule set in the ICMP rules, but that's obviously not what I need.

Thanks for the explanation, and if anyone knows how to do the above, it would be greatly appreciated. If I find out myself, I'll post it here as well.