cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1059
Views
0
Helpful
3
Replies

Strange Tracerouting Issue through FWSM

csimmons
Level 1
Level 1

Maybe someone has ran into this problem before with not being able to get ICMP type 11 responses back when trace routing through a FWSM when hitting some MPLS tagged routers.

Here is the setup:

PC -> 6504 FWSM -> 6504 Routing Table -> 3845 Internet

Tracing route to [4.x.x.x]

over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 10.16.10.252

2 <1 ms <1 ms <1 ms 172.23.242.2

3 1 ms <1 ms <1 ms 208.x.x.66

4 1 ms 2 ms 2 ms 208.x.x.41

5 <1 ms <1 ms <1 ms 208.x.x.1

6 3 ms 3 ms 3 ms 12.x.x.9

7 * * * Request timed out.

8 * * * Request timed out.

9 * * * Request timed out.

10 17 ms 15 ms 15 ms 12.x.x.17

11 66 ms 15 ms 14 ms 192.x.x.142

12 15 ms 15 ms 20 ms 4.x.x.67

13 15 ms 15 ms 15 ms 4.x.x.2

Trace complete.

Why do the other router(s) packets not able to reach back to the PC's trace?

I have "debug icmp trace" running and I see the packets leaving the FWSM with no errors.

Here is a trace straight from the 6504 router with the other routers responding.

Tracing the route to (4.x.x.2)

1 208.x.x.41 0 msec 0 msec 4 msec

2 208.x.x.1 0 msec 0 msec 0 msec

3 12.x.x.9 4 msec 12 msec 36 msec

4 12.x.x.26 16 msec 16 msec 16 msec

5 12.x.x.149 16 msec 16 msec 16 msec

6 12.x.x.157 16 msec 16 msec 16 msec

7 12.x.x.17 16 msec 16 msec 16 msec

8 192.x.x.142 12 msec 16 msec

9 4.x.x.131 20 msec 16 msec

10 4.x.x.2 16 msec 12 msec 16 msec

The only thing I have noticed is from my 3845 directly, I can see those 3 hops have MPLS Labels

2 12.x.x.26 [AS 7018] [MPLS: Label 3461 Exp 0] 12 msec 24 msec 12 msec

3 12.x.x.149 [AS 7018] [MPLS: Label 16737 Exp 0] 16 msec 16 msec 12 msec

4 12.122.28.157 [AS 7018] [MPLS: Labels 0/16010 Exp 0] 20 msec 16 msec 16 msec

>>

FWSM Firewall Version 4.0(6)

access-list outside extended permit ip any any log

access-list inside extended permit ip any any log

icmp permit any outside

icmp permit any inside

policy-map global_policy

class inspection_default

inspect icmp

<<

Can anyone clue me in?

Thanks,

Clint

3 Replies 3

Kevin Redmon
Cisco Employee
Cisco Employee

Clint,

You will also need to enable 'inspect icmp errors' as well as enable an access-list entry on the relevant interface for ICMP time-exceeded messages.

After making these changes, please let me know if this resolves your issues.

I had "inspect icmp error" before, but I have added it back for the sake of argument.

access-group outside in interface outside

access-group inside in interface inside

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

I also added the following for testing.

icmp permit any time-exceeded outside

icmp permit any traceroute outside

icmp permit any time-exceeded inside

icmp permit any traceroute inside

Unfortunately I still have the problem. No change in the traces.

csimmons
Level 1
Level 1

Looks like this is a BUG:

CSCtb03565 Bug Details

FWSM corrupts ICMP time to live exceeded with MPLS TAG

Symptom:

Traceroute not working through FWSM. All hops except last returns failure "*".

Conditions:

FWSM running 4.0.6 or 3.2.12. The outside network is an mpls cloud that adds mpls tags to the echo request.

Workaround:

Downgrade FWSM 3.1.7. Removing "inspect icmp error" dos not resolve.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: