PING works, TRACE doesn't...

Answered Question
Mar 21st, 2011

Hi,

Can someone please shed some light onto what appears to be unexpected behaviour?

I am able to ping an ip address using a particular VLAN interface as the source and get a response, see below:

Core_Switch_6509#ping
Protocol [ip]:
Target IP address: 10.50.x.y
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.225.a.b
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.50.x.y, timeout is 2 seconds:
Packet sent with a source address of 10.225.a.b
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/16/16 ms

However when I try a traceroute to the same ip address using the same VLAN interface as source, it fails - again see below:


Core_Switch_6509#trace
Protocol [ip]:
Target IP address: 10.50.x.y
Source address: 10.225.a.b
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 10.50.x.y

  1  *  *  *
   2  *  *  *
   3  *  *  *
   4  *  *  *
   5  *  *  *

etc etc (no reponses whatsoever)...

25  *  *  *
  26  *  *  *
  27  *  *  *
  28  *  *  *
  29  *  *  *
  30  *  *  *

Setting the source to another VLAN interface - policy routed differently - suceeds on both ping and trace which is what I was expecting to see on the above VLAN source - that is, either BOTH succeed or BOTH fail (I actually expected both to fail since I'm told that there's a firewall inbetween set to deny ICMP).

So my question is - if ICMP works for ping why doesn't it work for traceroute?  Or is some intermediate device responding to the ping packet and leading me astray.... And if so, is there a method of discovering what that device might be without debugging what is a core live device?

Can someone please explain?!  Many thanks.

I have this problem too.
0 votes
Correct Answer by Edison Ortiz about 3 years 3 weeks ago

traceroute from a cisco device uses UDP, not ICMP. verify the FW allows UDP from the source/destination VLAN you are trying to reach.

http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_tech_note09186a00800a6057.shtml

Regards,

Edison

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
SimonK987654321 Mon, 03/21/2011 - 07:39

Thanks Edison, that makes perfect sense!  I'll have a word with the FW guys.

Thanks once again!

Simon

Actions

Login or Register to take actions

This Discussion

Posted March 21, 2011 at 7:04 AM
Stats:
Replies:2 Avg. Rating:5
Views:805 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard