bvsnarayana03 Fri, 12/14/2007 - 07:20
User Badges:
  • Silver, 250 points or more

There are a number of reasons for lost responses from icmp. It depends upon the type of response. If its because of the network unreachability then One of the methods is to do a trace to the same IP & see where it reaches. Then start troubleshooting from the point of last hop visible in the trace.


There can be number of reasons for this:

no route to destination

destination is not up

assymetric path etc.


there is no specific command to chk the icmp connectivity.

ranidalal Fri, 12/14/2007 - 07:30
User Badges:

Thanks for quick response.


I'm trying to check ICMP traffic by checking config & not seeing any command configured for icmp traffic.


as per my knowledge ICMP traffic is routed through the security appliance comes under security issue not routing issue.

Please correct me if I'm wrong.


Thanks

bvsnarayana03 Fri, 12/14/2007 - 07:41
User Badges:
  • Silver, 250 points or more

Oh, so you are talking about firewall configs & icmp response to the firewall. By default its denied, but when you permit any ip traffic to the destination then icmp gets thru the firewall.


you may revert for further clarification.


pls rate all helpful posts.

ranidalal Fri, 12/14/2007 - 07:52
User Badges:

I'm taking care of request saying that its having ICMP lost connetivity to specific device.

1..As it is assigned to me (network group) I think it may be having some routing issue..so i think you first response is somewhat help to troubleshoot routing problem if have any.


2. I searched on cisco site & it mentioning that its related to access-list, security area. I'm not very sure about it.


3. In such a situation how shoul I proceed to fix problem?? I think traceroute is fine to check where is fault, but ping is successful then I dont think traceroute come in picture.


Please clarify

ranidalal Fri, 12/14/2007 - 07:58
User Badges:

I'm taking care of request saying that its having ICMP lost connetivity to specific device.

1..As it is assigned to me (network group) I think it may be having some routing issue..so i think you first response is somewhat help to troubleshoot routing problem if have any.


2. I searched on cisco site & it mentioning that its related to access-list, security area. I'm not very sure about it.


3. In such a situation how shoul I proceed to fix problem?? I think traceroute is fine to check where is fault, but ping is successful then I dont think traceroute come in picture.


Please clarify

bvsnarayana03 Fri, 12/14/2007 - 08:45
User Badges:
  • Silver, 250 points or more

bhartiji, first ensure that the node you are trying to ping is UP on network. One way of doing it is to ping it from the nearest switch such that firewall doesnt come in to picture.


Then find out with security team what tcp port is open on firewall for this server. Try telnet to the server on this port(telnet x.x.x.x portnumber) from local network where the server is. Ensure firewall doesnt come in to picture.


if it gives a blank screen, then application is UP on server.


These 2 tests ensure that your sever & application are both working.


Now repeat the tests from behind the firewall. Trace should reach up to the nearest hop to firewall. Then the issue is with firewall config.


But if trace doesnt reach till firewall or hop before that, then check routing till destination.


pls rate all helpful posts.

dave.keith Fri, 12/14/2007 - 08:31
User Badges:
  • Bronze, 100 points or more

ICMP is a collection of various messages (about 30 of them) that are often treated very differently. What exact ICMP message seems to be getting lost ? If you are loosing the odd ICMP-ECHO-REPLY, it's likely no big deal. If you are not getting an ICMP-ADDRESSMASK-RELY then maybe the device does not support it. ICMP-SOURCEQUENCH is one that I have never seen on a wire, not that I look for everything. Firewalls tend to not send out ICMP-REDIRECTS, but that may be configurable.


Bottom line, ICMP is a broad 'protocol' and more details are required to help solve whatever issue you may have, imo.


Dave

Actions

This Discussion