Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Port unreachable messages on 3550 switch

While working at a client site today, I was troubleshooting some ICMP connectivity for a network we have created.

I turned on 'debug ip icmp" on the 3550 switch int he middle, and was inundated with the following debug output:

Jan 25 11:01:14.641: ICMP: dst (172.16.1.7) port unreachable rcv from 172.16.1.5

Jan 25 11:01:14.641: ICMP: dst (172.16.1.7) port unreachable rcv from 172.16.1.5

Jan 25 11:01:14.641: ICMP: dst (172.16.1.7) port unreachable rcv from 172.16.1.5

Jan 25 11:01:14.641: ICMP: dst (172.16.1.7) port unreachable rcv from 172.16.1.5

Jan 25 11:01:14.641: ICMP: dst (172.16.1.7) port unreachable rcv from 172.16.1.5

Jan 25 11:01:14.649: ICMP: dst (172.16.1.7) port unreachable rcv from 172.16.1.5

Jan 25 11:01:14.649: ICMP: dst (172.16.1.7) port unreachable rcv from 172.16.1.5

Jan 25 11:01:14.649: ICMP: dst (172.16.1.7) port unreachable rcv from 172.16.1.5

Jan 25 11:01:14.653: ICMP: dst (172.16.1.7) port unreachable rcv from 172.16.1.5

Jan 25 11:01:14.653: ICMP: dst (172.16.1.7) port unreachable rcv from 172.16.1.5

Jan 25 11:01:14.653: ICMP: dst (172.16.1.7) port unreachable rcv from 172.16.1.5

Jan 25 11:01:14.653: ICMP: dst (172.16.1.7) port unreachable rcv from 172.16.1.5

This output fires several times a second, and based on how often it is firing, I am curious if it may be a culprit with respect to the fact that the client has indicated that they have some slow internet.

Should the next step be to look at the workstation at 172.16.1.5?  I do need to get this issue resolved.

Thanks in advance for any help.

Kevin

10 REPLIES

Port unreachable messages on 3550 switch

Does the workstation at 172.16.1.5 have local lan connectivity and internet connectivity or just one or the other?

Does this only happen with a source and dest of the two addresses that you posted of several source and destinations?

I'm assuming both hosts are on the same vlan?

New Member

Port unreachable messages on 3550 switch

John

Does the workstation at 172.16.1.5 have local lan connectivity and internet connectivity or just one or the other?

The workstation at 172.16.1.5 does have lan connectivity, as well as internet connectivity.

Does this only happen with a source and dest of the two addresses that you posted of several source and destinations?

I dont understand the question necessarily...  but i will try to explain. 

The 3550 switch native vlan 1 has an IP address of 172.16.1.7, which is the gateway for all workstations in the vlan to get off of the subnet to any other network.  The workstation at 172.16.1.5 has a DG of 1.7, as do the 4 other workststations in that VLAN. 

This 3550 switch is a DMZ switch.  There is an Outside perimeter FW at address 172.16.1.2 and an Inside Perimeter FW at address 172.16.1.3.

The 3550 switch is routing, and for Internet connectivity, has a 0/0 route to the OP FW at the 1.2 address.  He also has static routes for inside networks, which point to 1.3, in case the wkstations in the DMZ need to get to the inside networks that lie behind the IP FW at 1.3.

I'm assuming both hosts are on the same vlan?

Yes they are on the same VLAN.

Port unreachable messages on 3550 switch

Does the 172.16.1.0 network has a /24 mask?

From what I can tell the 3550 switch is doing routing for VLAN1, which is also the DMZ switch, and the DG

of the DMZ switch is the Outside FW at 172.16.1.2? So are these firewall devices specific hardware or software?

How are the Firewalls connectd to the 3550? All these devices seem to be in the same VLAN? Sorry if I don't get

back to you for a little while as well, I gotta leave for a funeral shortly.

New Member

Port unreachable messages on 3550 switch

Does the 172.16.1.0 network has a /24 mask?

Yes

From what I can tell the 3550 switch is doing routing for VLAN1, which is also the DMZ switch, and the DG

of the DMZ switch is the Outside FW at 172.16.1.2? Correct

So are these firewall devices specific hardware or software?  Cisco ASA's

How are the Firewalls connectd to the 3550? see below

tbhedge#sho int des

Interface                      Status         Protocol Description

Vl1                            up             up

Fa0/1                          up             up       NEW BHIASAOP INSIDE INTERFACE

Fa0/2                          up             up       DMZagent

Fa0/3                          up             up       BHIASAIP OUTSIDE Interface

Port f0/1 is the Outside FW Inside interface at adx 172.16.1.2

port f0/2 is the workstation at address 172.16.1.5 that is apparently sending the ICMP port unreachable

port f0/3 connects to the Inside FW Outside interface at adx 172.16.1.3

All these devices seem to be in the same VLAN?  They are. the address space is 172.16.1.0/24

Port unreachable messages on 3550 switch

is this paste from the 3550? What I find interesting is that the each interface os the ASA is basically its own zone. So by having the ASA have an Outside interface on network 172.16.1.0/24, and Inside interface on 172.16.1.0/24, and the DMZ has 172.16.1.0, I find very interesting.....

Can you paste a copy of 'show int ip brief' on the asa?

What are the security levels on the ASA for each interface? By default interfaces with the same security level cannot communicate by default.

New Member

Port unreachable messages on 3550 switch

They are two different ASA's.  If you read the host name, one is BHIASAIP.  The other is BHIASAOP. 

The OP (Outside Perimeter) faces the Internet.  It is the Inside Interface on the Outside FW that connects to the 3500 (which is the DMZ switch).

The IP (Inside Perimeter) ASA faces the Inside Private Nets.  It is the Outside Interface of this box that connects to the 3550. 

The address space in the DMZ is 172.16.1.0/24.  The OP Inside interface , the Mgmt interface of the 3550, several servers and a couple of other devices, as well as the IP Outside interface, are all in this address range.

The Outside Interface of the OP FW is in a public address space.  The Inside Interface of the Inside FW is in a private network range.

Bronze

Port unreachable messages on 3550 switch

I think you should have the Inside and Outside interfaces on ASA set on differents subnets.

Hope this helps

Eugen

Port unreachable messages on 3550 switch

I see how your setup now. It appears the 3550 is connected to both the Inside Perimeter and Outside Permiter ASA, as well as connected to the DMZAgent. I'm hoping that the inside interface on the OP ASA is in the 172.16.1.0/24 network.

What is the inside and outside interface on the IP ASA? The reason I"m asking you this, is that, it appears that you may have the same network configured on multiple ASAs.

New Member

Port unreachable messages on 3550 switch

John

Thanks for all of your help with this.  I was able to resolve the issue simply by rebooting the workstation.  Once that was done, there were no more port unreachables being sent.

The Inside of the OP FW and the Outside of the IP FW are in the DMZ, as they should be, in address space 172.16.1.0/24.  The inside interface of the IP FW is in a private address space connecting to the client core.

Take Care and thanks again JTP

Kevin

Port unreachable messages on 3550 switch

Glad to hear you got it working Kevin. At first it almost sounded like you had one ASA with the same network configuration, and I was gunna say please show me how it actually accepted the command to do that lol. I see what you're doing now.

624
Views
8
Helpful
10
Replies
CreatePlease to create content