Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4104
Views
0
Helpful
7
Replies

ACE - Traceroute showing same IP for each hop

manglen32
Level 1
Level 1

‎03-12-2009 10:59 PM

I'm having problems with traceroute on my servers sitting behind our ACE module. The module is in routed mode and is performing all NAT to the Internet.

When I try to traceroute to any external IP, each hops answer has the same IP address (final destination IP).

Servers not behind the ACE do not have this problem.

I've turned ICMP-Guard off and opened ICMP up on every interface with an permit icmp any any ACL.

Any help would be appreciated.

1 person had this problem
Labels:
0 Helpful
7 Replies 7

Roble Mumin
Level 3
Level 3

‎03-17-2009 12:27 AM

Hi,

you need to configure ICMP inspection to fix this behavior. I will have a look at my config and paste an example once i am back in the office. But yes you can get rid of it. :)

Roble

0 Helpful

Roble Mumin
Level 3
Level 3
In response to Roble Mumin

‎03-17-2009 04:55 AM

You have to configure...

!-ACL defining ICMP-

access-list ICMP line 10 extended permit icmp any any

!-Class Map referencing ACL-

class-map match-all ICMP-INSPECT-L4CLASS

description ICMP fixup - L4 Class

2 match access-list ICMP

!-LB Policy which is applied on your client side vlan.

!-Add the class statement and switch on imcp inspection

policy-map multi-match L4-SLB-POLICY

class ICMP-INSPECT-L4CLASS

inspect icmp error

!-Client Side VLAN-

!-Apply the service police otherwise use your existing policy-

interface vlan 3104

service-policy input L4-SLB-POLICY

Hope it helps

Roble

0 Helpful

thedinuka
Level 1
Level 1
In response to Roble Mumin

‎07-10-2009 08:03 AM

Hmmm, funny thing. I had the same problem. Looked every where to find a solution, and then came here before opening a TAC. Going to try out the solution given above in a couple of days after the weekend. AW, thanks a lot for sharing the experience.

Any idea why the ACE modify the source ip of the "TTL expired in transit" packets when traversing through it ????

0 Helpful

thedinuka
Level 1
Level 1
In response to thedinuka

‎07-12-2009 08:06 PM

has anyone else had this problem ? I would like to find out the reason behind this

0 Helpful

thedinuka
Level 1
Level 1
In response to thedinuka

‎07-13-2009 09:49 PM

I tried this solution but it didn't work. Then i issued a "show access-list ICMP"

and the ACE says that the status of the ICMP access-list is "not active"

Attached is my config. Can some one help me debug this pls

Din

Preview file
5 KB
0 Helpful

tporembski
Level 1
Level 1
In response to Roble Mumin

‎03-13-2013 07:04 AM

I know you first dealt with this years ago but I have just experienced it for the first time with an ACE30 running 5.2.1 code.  Your solution fixed the issue but I am curious if you ever discovered why it is happening.  I am working with Cisco currently but they have failed to provide a reasonable explanantion as to why this happens with the ACE module.

Thanks

Tony

0 Helpful

Jorge Bejarano
Level 4
Level 4

‎03-14-2013 09:49 PM

Hi All,

Could you provide an output showing exactly you guys mean?

Jorge

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents