traceroutes failing across 3550 switch

Unanswered Question
May 5th, 2009

I have a 3550 switch which is in the egress path towards the Internet at my client site. I have only one VLAN configured with an IP address on the switch, and all traffic goes through this Gateway in and out of the network.

When I run a traceroute from inside the network, I get to the client Gateway (1st Hop), but then never get a 2nd IP entry of 172.16.1.7 in line 2 of my traceroutes.

Is there something on the switch that I may need to configure? IP traffic other than ICMP is fine. The switch will answer back to a ping....

Thx

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
j98me2 Tue, 05/05/2009 - 07:07

What do you have after the switch, it could be your firewall not responding to the icmp traffic.

I can get to google.com but I can not tracert to google.com or anything else outside my network. My ASA drops the icmp traffic.

pkurdziel Tue, 05/05/2009 - 18:04

"When I run a traceroute from inside the network, I get to the client Gateway (1st Hop), but then never get a 2nd IP entry of 172.16.1.7 in line 2 of my traceroutes. "

I am not sure what you mean here.

Do you have a route to 172.16.1.7? Does the other end have a route back to you?

Kevin Melton Thu, 05/07/2009 - 08:48

Here is a sample:

1 <1 ms <1 ms <1 ms bhicore.boarsheadinn.com [192.168.5.1]

2 * * * Request timed out.

3 * * * Request timed out.

4 * * * Request timed out.

5 * * * Request timed out.

6 * * * Request timed out.

7 * * * Request timed out.

8 * * * Request timed out.

9 * * * Request timed out.

10 * * * Request timed out.

The 172.16.1.7 address should be the 2nd line in the traceroute. He is the next IP hop on the way out. The appropriate routes are in place...see below:

C:\Documents and Settings\kevin.BOARSHEADINN.000>ping 172.16.1.7

Pinging 172.16.1.7 with 32 bytes of data:

Reply from 172.16.1.7: bytes=32 time=1ms TTL=255

Reply from 172.16.1.7: bytes=32 time<1ms TTL=255

Reply from 172.16.1.7: bytes=32 time<1ms TTL=255

Reply from 172.16.1.7: bytes=32 time<1ms TTL=255

Ping statistics for 172.16.1.7:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 1ms, Average = 0ms

C:\Documents and Settings\kevin.BOARSHEADINN.000>

Thanks

Kevin Melton Thu, 05/07/2009 - 09:21

They are not the same device. The 192.168.5.1 is the GW on our Core switch. The 172.16.1.7 is another switch and the next hop out on the way to the Internet...

Kevin Melton Thu, 05/07/2009 - 10:01

C:\Documents and Settings\kevin.BOARSHEADINN.000>tracert 172.16.1.7

Tracing route to 172.16.1.7 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms bhicore.boarsheadinn.com [192.168.5.1]

2 1 ms <1 ms <1 ms 172.16.1.7

Trace complete.

C:\Documents and Settings\kevin.BOARSHEADINN.000>

I think I just answered my question.

You have this topology:

L3Switch ---- layer 2 switch ---- Internet gateway

Only the L3switch and Internet gateway will respond to the traceroute (ICMP is L3), because the other switch is a layer two pathway. Only routers will respond to the traceroute.

I would assume you have ICMP blocked somewhere at your internet gateway.

Kevin Melton Thu, 05/07/2009 - 11:21

ICMP is not blocked anywhere. I can ping all the way out the entire path. It is just traceroute that fails at the 2nd hop, not pings..

Kevin Melton Thu, 05/07/2009 - 11:20

But it is part of the routing path. I sent you a trace route indicating that...

Kevin Melton Thu, 05/07/2009 - 11:19

It is an L3 switch. We have a VLAN 3 configured on it. It has an ip address of 172.16.1.7. All the devices in that network (which is the way in and out towards the Internet) plug into a VLAN 3 port and use 172.16.1.7 as their gateway.

It looks like you are blocking some ICMP. The traceroute you sent only shows one response.

1 <1 ms <1 ms <1 ms bhicore.boarsheadinn.com [192.168.5.1]

2 * * * Request timed out.

3 * * * Request timed out.

4 * * * Request timed out.

5 * * * Request timed out.

6 * * * Request timed out.

7 * * * Request timed out.

8 * * * Request timed out.

9 * * * Request timed out.

10 * * * Request timed out.

Kevin Melton Thu, 05/07/2009 - 12:01

Yes that trace is from a workstation out to yahoo.com. When i run my traceroute from my workstation to the switch, we get

C:\Documents and Settings\kevin.BOARSHEADINN.000>tracert 172.16.1.7

Tracing route to 172.16.1.7 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms bhicore.boarsheadinn.com [192.168.5.1]

2 1 ms 1 ms <1 ms 172.16.1.7

Trace complete.

C:\Documents and Settings\kevin.BOARSHEADINN.000>tracert 206.248.224.1

seems it is only when a traceroute past the switch is performed does the switch and then each subsequent ip hop go silent...

Actions

This Discussion