ACE - Traceroute showing same IP for each hop

Unanswered Question
Mar 12th, 2009
User Badges:

I'm having problems with traceroute on my servers sitting behind our ACE module. The module is in routed mode and is performing all NAT to the Internet.


When I try to traceroute to any external IP, each hops answer has the same IP address (final destination IP).


Servers not behind the ACE do not have this problem.


I've turned ICMP-Guard off and opened ICMP up on every interface with an permit icmp any any ACL.


Any help would be appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Roble Mumin Tue, 03/17/2009 - 00:27
User Badges:
  • Bronze, 100 points or more

Hi,


you need to configure ICMP inspection to fix this behavior. I will have a look at my config and paste an example once i am back in the office. But yes you can get rid of it. :)


Roble

Roble Mumin Tue, 03/17/2009 - 04:55
User Badges:
  • Bronze, 100 points or more

You have to configure...


!-ACL defining ICMP-


access-list ICMP line 10 extended permit icmp any any


!-Class Map referencing ACL-


class-map match-all ICMP-INSPECT-L4CLASS

description ICMP fixup - L4 Class

2 match access-list ICMP


!-LB Policy which is applied on your client side vlan.

!-Add the class statement and switch on imcp inspection


policy-map multi-match L4-SLB-POLICY

class ICMP-INSPECT-L4CLASS

inspect icmp error


!-Client Side VLAN-

!-Apply the service police otherwise use your existing policy-


interface vlan 3104

service-policy input L4-SLB-POLICY



Hope it helps


Roble

thedinuka Fri, 07/10/2009 - 08:03
User Badges:

Hmmm, funny thing. I had the same problem. Looked every where to find a solution, and then came here before opening a TAC. Going to try out the solution given above in a couple of days after the weekend. AW, thanks a lot for sharing the experience.


Any idea why the ACE modify the source ip of the "TTL expired in transit" packets when traversing through it ????

thedinuka Sun, 07/12/2009 - 20:06
User Badges:

has anyone else had this problem ? I would like to find out the reason behind this

thedinuka Mon, 07/13/2009 - 21:49
User Badges:

I tried this solution but it didn't work. Then i issued a "show access-list ICMP"

and the ACE says that the status of the ICMP access-list is "not active"


Attached is my config. Can some one help me debug this pls


Din



tporembski Wed, 03/13/2013 - 07:04
User Badges:

I know you first dealt with this years ago but I have just experienced it for the first time with an ACE30 running 5.2.1 code.  Your solution fixed the issue but I am curious if you ever discovered why it is happening.  I am working with Cisco currently but they have failed to provide a reasonable explanantion as to why this happens with the ACE module.


Thanks

Tony

Jorge Bejarano Thu, 03/14/2013 - 21:49
User Badges:
  • Silver, 250 points or more

Hi All,


Could you provide an output showing exactly you guys mean?


Jorge

Actions

This Discussion