Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5013
Views
0
Helpful
2
Replies

PING works, TRACE doesn't...

Go to solution
SimonK987654321
Level 1
Level 1

‎03-21-2011 07:04 AM - edited ‎03-04-2019 11:49 AM

Hi,

Can someone please shed some light onto what appears to be unexpected behaviour?

I am able to ping an ip address using a particular VLAN interface as the source and get a response, see below:

Core_Switch_6509#ping
Protocol [ip]:
Target IP address: 10.50.x.y
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.225.a.b
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.50.x.y, timeout is 2 seconds:
Packet sent with a source address of 10.225.a.b
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/16/16 ms

However when I try a traceroute to the same ip address using the same VLAN interface as source, it fails - again see below:


Core_Switch_6509#trace
Protocol [ip]:
Target IP address: 10.50.x.y
Source address: 10.225.a.b
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 10.50.x.y

  1  *  *  *
   2  *  *  *
   3  *  *  *
   4  *  *  *
   5  *  *  *

etc etc (no reponses whatsoever)...

25  *  *  *
  26  *  *  *
  27  *  *  *
  28  *  *  *
  29  *  *  *
  30  *  *  *

Setting the source to another VLAN interface - policy routed differently - suceeds on both ping and trace which is what I was expecting to see on the above VLAN source - that is, either BOTH succeed or BOTH fail (I actually expected both to fail since I'm told that there's a firewall inbetween set to deny ICMP).

So my question is - if ICMP works for ping why doesn't it work for traceroute?  Or is some intermediate device responding to the ping packet and leading me astray.... And if so, is there a method of discovering what that device might be without debugging what is a core live device?

Can someone please explain?!  Many thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame

‎03-21-2011 07:14 AM

traceroute from a cisco device uses UDP, not ICMP. verify the FW allows UDP from the source/destination VLAN you are trying to reach.

http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_tech_note09186a00800a6057.shtml

Regards,

Edison

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame

‎03-21-2011 07:14 AM

traceroute from a cisco device uses UDP, not ICMP. verify the FW allows UDP from the source/destination VLAN you are trying to reach.

http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_tech_note09186a00800a6057.shtml

Regards,

Edison

0 Helpful

Go to solution
SimonK987654321
Level 1
Level 1
In response to Edison Ortiz

‎03-21-2011 07:39 AM

Thanks Edison, that makes perfect sense!  I'll have a word with the FW guys.

Thanks once again!

Simon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card