Strange Tracerouting Issue through FWSM

Unanswered Question

Maybe someone has ran into this problem before with not being able to get ICMP type 11 responses back when trace routing through a FWSM when hitting some MPLS tagged routers.

Here is the setup:

PC -> 6504 FWSM -> 6504 Routing Table -> 3845 Internet

Tracing route to [4.x.x.x]

over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 10.16.10.252

2 <1 ms <1 ms <1 ms 172.23.242.2

3 1 ms <1 ms <1 ms 208.x.x.66

4 1 ms 2 ms 2 ms 208.x.x.41

5 <1 ms <1 ms <1 ms 208.x.x.1

6 3 ms 3 ms 3 ms 12.x.x.9

7 * * * Request timed out.

8 * * * Request timed out.

9 * * * Request timed out.

10 17 ms 15 ms 15 ms 12.x.x.17

11 66 ms 15 ms 14 ms 192.x.x.142

12 15 ms 15 ms 20 ms 4.x.x.67

13 15 ms 15 ms 15 ms 4.x.x.2

Trace complete.

Why do the other router(s) packets not able to reach back to the PC's trace?

I have "debug icmp trace" running and I see the packets leaving the FWSM with no errors.

Here is a trace straight from the 6504 router with the other routers responding.

Tracing the route to (4.x.x.2)

1 208.x.x.41 0 msec 0 msec 4 msec

2 208.x.x.1 0 msec 0 msec 0 msec

3 12.x.x.9 4 msec 12 msec 36 msec

4 12.x.x.26 16 msec 16 msec 16 msec

5 12.x.x.149 16 msec 16 msec 16 msec

6 12.x.x.157 16 msec 16 msec 16 msec

7 12.x.x.17 16 msec 16 msec 16 msec

8 192.x.x.142 12 msec 16 msec

9 4.x.x.131 20 msec 16 msec

10 4.x.x.2 16 msec 12 msec 16 msec

The only thing I have noticed is from my 3845 directly, I can see those 3 hops have MPLS Labels

2 12.x.x.26 [AS 7018] [MPLS: Label 3461 Exp 0] 12 msec 24 msec 12 msec

3 12.x.x.149 [AS 7018] [MPLS: Label 16737 Exp 0] 16 msec 16 msec 12 msec

4 12.122.28.157 [AS 7018] [MPLS: Labels 0/16010 Exp 0] 20 msec 16 msec 16 msec

>>

FWSM Firewall Version 4.0(6)

access-list outside extended permit ip any any log

access-list inside extended permit ip any any log

icmp permit any outside

icmp permit any inside

policy-map global_policy

class inspection_default

inspect icmp

<<

Can anyone clue me in?

Thanks,

Clint

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kevin Redmon Sun, 08/23/2009 - 06:24

Clint,

You will also need to enable 'inspect icmp errors' as well as enable an access-list entry on the relevant interface for ICMP time-exceeded messages.

After making these changes, please let me know if this resolves your issues.

I had "inspect icmp error" before, but I have added it back for the sake of argument.

access-group outside in interface outside

access-group inside in interface inside

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

I also added the following for testing.

icmp permit any time-exceeded outside

icmp permit any traceroute outside

icmp permit any time-exceeded inside

icmp permit any traceroute inside

Unfortunately I still have the problem. No change in the traces.

Looks like this is a BUG:

CSCtb03565 Bug Details

FWSM corrupts ICMP time to live exceeded with MPLS TAG

Symptom:

Traceroute not working through FWSM. All hops except last returns failure "*".

Conditions:

FWSM running 4.0.6 or 3.2.12. The outside network is an mpls cloud that adds mpls tags to the echo request.

Workaround:

Downgrade FWSM 3.1.7. Removing "inspect icmp error" dos not resolve.

Actions

This Discussion