ACE 4710 icmp/routing behavior

Unanswered Question
Sep 9th, 2009


I'm using an ACE4710 as load balancer.

I have 3 Interface




Traffic coming from INTRANET is balanced on interface PROXY if is HTTP.

Routing table is


When I issue a tracert to i.e

tracert [] [] [] [] [] []

etc ...


It seams that once the ICMP ECHO TTL Exceeded reply pass through the ACE the ACE instead to Send the ECHO TTL Exceeded with IP source is IP is sending back the SOurce IP of the requested destinatin in this case Is that correct ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Gilles Dufour Wed, 09/09/2009 - 05:01

That's a security feature to prevent people to lear network topology with traceroute.

To make it work, you need to enable icmp inspection.

Create a class-map to match icmp traffic.

Then under a multimatch policy, and the icmp class-map configure 'inspect icmp error'.


helenio Thu, 09/10/2009 - 06:27

I tried that but is not working ..


access-list icmp_traffic line 10 extended permit icmp any any


class-map match-any ICMP_traffic

description ip inspect ICMP

2 match access-list icmp_traffic


policy-map multi-match L4_SLB_POLICY


loadbalance vip inservice

loadbalance policy HTTP_SLB_POLICY

class ICMP_traffic

inspect icmp error


and I also did

interface vlan 950

no normalization

no icmp-guard

interface vlan 953

no normalization

no icmp-guard

interface vlan 954

no normalization

no icmp-guard


the ACE seams always replace the IP header addres of the error packet ..


This Discussion