traceroutes failing across 3550 switch

Unanswered Question
May 5th, 2009
User Badges:

I have a 3550 switch which is in the egress path towards the Internet at my client site. I have only one VLAN configured with an IP address on the switch, and all traffic goes through this Gateway in and out of the network.

When I run a traceroute from inside the network, I get to the client Gateway (1st Hop), but then never get a 2nd IP entry of 172.16.1.7 in line 2 of my traceroutes.

Is there something on the switch that I may need to configure? IP traffic other than ICMP is fine. The switch will answer back to a ping....

Thx

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
j98me2 Tue, 05/05/2009 - 07:07
User Badges:

What do you have after the switch, it could be your firewall not responding to the icmp traffic.


I can get to google.com but I can not tracert to google.com or anything else outside my network. My ASA drops the icmp traffic.

pkurdziel Tue, 05/05/2009 - 18:04
User Badges:

"When I run a traceroute from inside the network, I get to the client Gateway (1st Hop), but then never get a 2nd IP entry of 172.16.1.7 in line 2 of my traceroutes. "


I am not sure what you mean here.


Do you have a route to 172.16.1.7? Does the other end have a route back to you?

Kevin Melton Thu, 05/07/2009 - 08:48
User Badges:

Here is a sample:


1 <1 ms <1 ms <1 ms bhicore.boarsheadinn.com [192.168.5.1]

2 * * * Request timed out.

3 * * * Request timed out.

4 * * * Request timed out.

5 * * * Request timed out.

6 * * * Request timed out.

7 * * * Request timed out.

8 * * * Request timed out.

9 * * * Request timed out.

10 * * * Request timed out.


The 172.16.1.7 address should be the 2nd line in the traceroute. He is the next IP hop on the way out. The appropriate routes are in place...see below:


C:\Documents and Settings\kevin.BOARSHEADINN.000>ping 172.16.1.7


Pinging 172.16.1.7 with 32 bytes of data:


Reply from 172.16.1.7: bytes=32 time=1ms TTL=255

Reply from 172.16.1.7: bytes=32 time<1ms TTL=255

Reply from 172.16.1.7: bytes=32 time<1ms TTL=255

Reply from 172.16.1.7: bytes=32 time<1ms TTL=255


Ping statistics for 172.16.1.7:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 1ms, Average = 0ms


C:\Documents and Settings\kevin.BOARSHEADINN.000>


Thanks



Kevin Melton Thu, 05/07/2009 - 09:21
User Badges:

They are not the same device. The 192.168.5.1 is the GW on our Core switch. The 172.16.1.7 is another switch and the next hop out on the way to the Internet...

Kevin Melton Thu, 05/07/2009 - 10:01
User Badges:

C:\Documents and Settings\kevin.BOARSHEADINN.000>tracert 172.16.1.7


Tracing route to 172.16.1.7 over a maximum of 30 hops


1 <1 ms <1 ms <1 ms bhicore.boarsheadinn.com [192.168.5.1]

2 1 ms <1 ms <1 ms 172.16.1.7


Trace complete.


C:\Documents and Settings\kevin.BOARSHEADINN.000>

I think I just answered my question.


You have this topology:



L3Switch ---- layer 2 switch ---- Internet gateway


Only the L3switch and Internet gateway will respond to the traceroute (ICMP is L3), because the other switch is a layer two pathway. Only routers will respond to the traceroute.


I would assume you have ICMP blocked somewhere at your internet gateway.

Kevin Melton Thu, 05/07/2009 - 11:21
User Badges:

ICMP is not blocked anywhere. I can ping all the way out the entire path. It is just traceroute that fails at the 2nd hop, not pings..

Kevin Melton Thu, 05/07/2009 - 11:20
User Badges:

But it is part of the routing path. I sent you a trace route indicating that...

Kevin Melton Thu, 05/07/2009 - 11:19
User Badges:

It is an L3 switch. We have a VLAN 3 configured on it. It has an ip address of 172.16.1.7. All the devices in that network (which is the way in and out towards the Internet) plug into a VLAN 3 port and use 172.16.1.7 as their gateway.

It looks like you are blocking some ICMP. The traceroute you sent only shows one response.


1 <1 ms <1 ms <1 ms bhicore.boarsheadinn.com [192.168.5.1]

2 * * * Request timed out.

3 * * * Request timed out.

4 * * * Request timed out.

5 * * * Request timed out.

6 * * * Request timed out.

7 * * * Request timed out.

8 * * * Request timed out.

9 * * * Request timed out.

10 * * * Request timed out.

Kevin Melton Thu, 05/07/2009 - 12:01
User Badges:

Yes that trace is from a workstation out to yahoo.com. When i run my traceroute from my workstation to the switch, we get


C:\Documents and Settings\kevin.BOARSHEADINN.000>tracert 172.16.1.7


Tracing route to 172.16.1.7 over a maximum of 30 hops


1 <1 ms <1 ms <1 ms bhicore.boarsheadinn.com [192.168.5.1]

2 1 ms 1 ms <1 ms 172.16.1.7


Trace complete.


C:\Documents and Settings\kevin.BOARSHEADINN.000>tracert 206.248.224.1


seems it is only when a traceroute past the switch is performed does the switch and then each subsequent ip hop go silent...

I think these are what you need to enable ICMP/Traceroute through the network:


access-list acl_out permit icmp any any time-exceeded

access-list acl_out permit icmp any any unreachable

access-list acl_out permit icmp any any echo

access-list acl_out permit icmp any any echo-reply

Actions

This Discussion