PING works, TRACE doesn't...

Mar 21st, 2011
Can someone please shed some light onto what appears to be unexpected behaviour?

I am able to ping an ip address using a particular VLAN interface as the source and get a response, see below:

Protocol [ip]:
Target IP address: 10.50.x.y
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.225.a.b
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.50.x.y, timeout is 2 seconds:
Packet sent with a source address of 10.225.a.b
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/16/16 ms

However when I try a traceroute to the same ip address using the same VLAN interface as source, it fails - again see below:

Protocol [ip]:
Target IP address: 10.50.x.y
Source address: 10.225.a.b
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 10.50.x.y

  1  *  *  *
   2  *  *  *
   3  *  *  *
   4  *  *  *
   5  *  *  *

etc etc (no reponses whatsoever)...

25  *  *  *
  26  *  *  *
  27  *  *  *
  28  *  *  *
  29  *  *  *
  30  *  *  *

Setting the source to another VLAN interface - policy routed differently - suceeds on both ping and trace which is what I was expecting to see on the above VLAN source - that is, either BOTH succeed or BOTH fail (I actually expected both to fail since I'm told that there's a firewall inbetween set to deny ICMP).

So my question is - if ICMP works for ping why doesn't it work for traceroute?  Or is some intermediate device responding to the ping packet and leading me astray.... And if so, is there a method of discovering what that device might be without debugging what is a core live device?

Can someone please explain?!  Many thanks.

traceroute from a cisco device uses UDP, not ICMP. verify the FW allows UDP from the source/destination VLAN you are trying to reach.



SimonK987654321 Mon, 03/21/2011 - 07:39
Thanks Edison, that makes perfect sense!  I'll have a word with the FW guys.

Thanks once again!



