08-19-2009 02:16 PM - edited 03-09-2019 10:31 PM
Maybe someone has ran into this problem before with not being able to get ICMP type 11 responses back when trace routing through a FWSM when hitting some MPLS tagged routers.
Here is the setup:
PC -> 6504 FWSM -> 6504 Routing Table -> 3845 Internet
Tracing route to [4.x.x.x]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 10.16.10.252
2 <1 ms <1 ms <1 ms 172.23.242.2
3 1 ms <1 ms <1 ms 208.x.x.66
4 1 ms 2 ms 2 ms 208.x.x.41
5 <1 ms <1 ms <1 ms 208.x.x.1
6 3 ms 3 ms 3 ms 12.x.x.9
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 17 ms 15 ms 15 ms 12.x.x.17
11 66 ms 15 ms 14 ms 192.x.x.142
12 15 ms 15 ms 20 ms 4.x.x.67
13 15 ms 15 ms 15 ms 4.x.x.2
Trace complete.
Why do the other router(s) packets not able to reach back to the PC's trace?
I have "debug icmp trace" running and I see the packets leaving the FWSM with no errors.
Here is a trace straight from the 6504 router with the other routers responding.
Tracing the route to (4.x.x.2)
1 208.x.x.41 0 msec 0 msec 4 msec
2 208.x.x.1 0 msec 0 msec 0 msec
3 12.x.x.9 4 msec 12 msec 36 msec
4 12.x.x.26 16 msec 16 msec 16 msec
5 12.x.x.149 16 msec 16 msec 16 msec
6 12.x.x.157 16 msec 16 msec 16 msec
7 12.x.x.17 16 msec 16 msec 16 msec
8 192.x.x.142 12 msec 16 msec
9 4.x.x.131 20 msec 16 msec
10 4.x.x.2 16 msec 12 msec 16 msec
The only thing I have noticed is from my 3845 directly, I can see those 3 hops have MPLS Labels
2 12.x.x.26 [AS 7018] [MPLS: Label 3461 Exp 0] 12 msec 24 msec 12 msec
3 12.x.x.149 [AS 7018] [MPLS: Label 16737 Exp 0] 16 msec 16 msec 12 msec
4 12.122.28.157 [AS 7018] [MPLS: Labels 0/16010 Exp 0] 20 msec 16 msec 16 msec
>>
FWSM Firewall Version 4.0(6)
access-list outside extended permit ip any any log
access-list inside extended permit ip any any log
icmp permit any outside
icmp permit any inside
policy-map global_policy
class inspection_default
inspect icmp
<<
Can anyone clue me in?
Thanks,
Clint
08-23-2009 06:24 AM
Clint,
You will also need to enable 'inspect icmp errors' as well as enable an access-list entry on the relevant interface for ICMP time-exceeded messages.
After making these changes, please let me know if this resolves your issues.
08-24-2009 07:36 AM
I had "inspect icmp error" before, but I have added it back for the sake of argument.
access-group outside in interface outside
access-group inside in interface inside
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
I also added the following for testing.
icmp permit any time-exceeded outside
icmp permit any traceroute outside
icmp permit any time-exceeded inside
icmp permit any traceroute inside
Unfortunately I still have the problem. No change in the traces.
09-14-2009 10:55 AM
Looks like this is a BUG:
CSCtb03565 Bug Details
FWSM corrupts ICMP time to live exceeded with MPLS TAG
Symptom:
Traceroute not working through FWSM. All hops except last returns failure "*".
Conditions:
FWSM running 4.0.6 or 3.2.12. The outside network is an mpls cloud that adds mpls tags to the echo request.
Workaround:
Downgrade FWSM 3.1.7. Removing "inspect icmp error" dos not resolve.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: