Behavior of ping simulation towards a ALG policy

Last modified on 6 Feb, 2025. Revision 4
When using a ping simulation and the IP policy that triggers is using an ALG, the result looks strange and there is always a timeout. Why?
Up to date for
Core 14.00.16
Status OK
Author
Stefan Lindkvist & Peter Nilsson


Issue:

When performing a ping simulation that triggers an ALG policy, the result may indicate no response or failure, with the traffic following a core route.. 

Output example:

Examples of how it could look when the simulation triggers on an ALG.

Example-1:

test:/> ping 192.168.2.80 -v -srcif=if2 -srcip=192.168.2.5 -tcp -port=443
Rule and routing information for ping:
     TCP: 192.168.2.5:26786 -> 192.168.2.80:443 allowed by rule "reverseproxy"

Sending 0-byte TCP ping to 192.168.2.80:443 from 192.168.2.5:26786
 sent via route "0.0.0.0 via core, no gw" in PBR table "main"

Example-2:

VSG-14:/> ping 1.1.1.1 -srcip=192.168.200.50 -srcif=If2_lan -tcp -port=21 -verbose
Rule and routing information for ping:
TCP: 192.168.200.50:16148 -> 1.1.1.1:21 PBR selected by rule "PBR_Test" - Fwd PBR table "Secondary_Table"
TCP: 192.168.200.50:16148 -> 1.1.1.1:21 PBR selected by rule "PBR_Test" - Ret PBR table "main"
     TCP: 192.168.200.50:16148 -> 1.1.1.1:21 allowed by rule "FTP_ALG_Ping_Test"

Sending 0-byte TCP ping to 1.1.1.1:21 from 10.250.10.1:16148
 sent via route "0.0.0.0 via core, no gw" in PBR table "main"

TCP Ping Results:  Sent: 1, RST/ACKs Received:0, Loss: 100%

What do this mean?

When performing a ping simulation, the output may occasionally be inaccurate because the simulation does not always forward traffic through the Application Layer Gateway (ALG). However, a standard browser connection should function correctly.

Therefore, when troubleshooting ALG traffic, it is recommended to go beyond using a ping simulation. Instead, leverage additional diagnostic tools, such as the built-in packet capture feature, to verify whether traffic is being sent through the correct interface and whether a response is received.

While a ping simulation remains useful for confirming that the correct policy is applied and that the ALG is triggered, its response can sometimes be misleading.

Still useful information?

The output information is not all bad, to summarize which part of the output that can be used or not:

InformationStatus
Name of the ruleOK
Source and destination IP addressOK
PBR selectionOK
Route lookupNot OK
Ping resultsAlways 100% loss

Are all ALG’s affected?

No, the exception is the new HTTP & HTTPS ALG (also known as LW-ALG). That ALG was redesigned and one of the updates was that ping simulations works fine through it.


Related articles

No related articles found.



Tagscorepingalg