ACE 4710 icmp/routing behavior

helenio · ‎09-09-2009

Hello,

I'm using an ACE4710 as load balancer.

I have 3 Interface

INTERNET 10.47.100.249 255.255.255.0

INTRANET 10.47.99.240 255.255.255.0

PROXY 10.47.98.240 255.255.255.0

Traffic coming from INTRANET is balanced on interface PROXY if is HTTP.

Routing table is

0.0.0.0 10.47.100.190

10.44.0.0/14 10.47.99.254

!

When I issue a tracert to i.e www.cisco.com

tracert www.cisco.com

www.cisco.com [198.133.219.25]

my.router.com [10.47.2.234]

www.cisco.com [198.133.219.25]

etc ...

..

It seams that once the ICMP ECHO TTL Exceeded reply pass through the ACE the ACE instead to Send the ECHO TTL Exceeded with IP source is IP is sending back the SOurce IP of the requested destinatin in this case www.cisco.com. Is that correct ?

Gilles Dufour · ‎09-09-2009

That's a security feature to prevent people to lear network topology with traceroute.

To make it work, you need to enable icmp inspection.

Create a class-map to match icmp traffic.

Then under a multimatch policy, and the icmp class-map configure 'inspect icmp error'.

Gilles.

helenio · ‎09-10-2009

I tried that but is not working ..

!

access-list icmp_traffic line 10 extended permit icmp any any

!

class-map match-any ICMP_traffic

description ip inspect ICMP

2 match access-list icmp_traffic

!

policy-map multi-match L4_SLB_POLICY

class L4_WEB_TRAFFIC

loadbalance vip inservice

loadbalance policy HTTP_SLB_POLICY

class ICMP_traffic

inspect icmp error

!

and I also did

interface vlan 950

no normalization

no icmp-guard

interface vlan 953

no normalization

no icmp-guard

interface vlan 954

no normalization

no icmp-guard

!

the ACE seams always replace the IP header addres of the error packet ..