Cisco FirePOWER ASA 5500 series Configuration Manual page 825

Chapter 43 Troubleshooting the Security Appliance
Figure 43-1 Network Sketch with Interfaces, Routers, and Hosts
Host
10.1.1.56
10.1.1.2
209.265.200.226
Router
192.168.1.2
209.165.201.2
dmz1
209.165.201.1
192.1
68.1.
dmz2
192.168.2.1
192.168.0.1
security40
security100
192.168.2.2
Router
10.1.2.2
10.1.2.90
Host
Ping each security appliance interface from the directly connected routers. For transparent mode, ping
Step 2
the management IP address.
This test ensures that the security appliance interfaces are active and that the interface configuration is
correct.
A ping might fail if the security appliance interface is not active, the interface configuration is incorrect,
or if a switch between the security appliance and router is down (see
messages or system messages appear on the security appliance, because the packet never reaches it.
Figure 43-2
Router
If the ping reaches the security appliance, and the security appliance responds, you see debug messages
like the following:
ICMP echo reply (len 32 id 1 seq 256) 209.165.201.1 > 209.165.201.2
ICMP echo request (len 32 id 1 seq 512) 209.165.201.2 > 209.165.201.1
If the ping reply does not return to the router, then you might have a switch loop or redundant IP
addresses (see
OL-10088-01
Host
209.265.200.230
10.1.3.2
Router
192.168.3.2
outside
dmz3
192.1
security0
68.3.
Routed Security
Appliance
dmz4
inside
192.168.4.1
security80
192.168.0.2 192.168.4.2
Router
10.1.4.2
10.1.0.2
10.1.0.34
Host
Ping Failure at Security Appliance Interface
Ping
Figure 43-3).
Host
10.1.3.6
Router
Router
10.1.4.67
Host
Cisco Security Appliance Command Line Configuration Guide
Testing Your Configuration
Host
209.165.201.24
209.165.201.1
Router
10.1.0.1
outside
security0
Transp. Security
Appliance 10.1.0.3
inside
security100
10.1.0.2
Router
10.1.1.1
10.1.1.5
Host
Figure 43-2). In this case, no debug
Security
Appliance
43-3