Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1665
Views
0
Helpful
4
Replies

TCP / UDP packets not reaching destination

marioderosa2008
Level 1
Level 1

‎05-27-2014 06:32 AM - edited ‎03-07-2019 07:33 PM

Hi all,

I have an ASR at the hub of 3 different routing domains.

I have two OSPF processes and one BGP process all on the same ASR.

BGP routes are redistributed in to both OSPF processes and vice versa. Plus, between the two OSPF processes, routes are also redistributed. Summary addresses are configured at the ASBR before the routes are injected in to Area 0 on each OSPF process.

ICMP from a source host in one OSPF process to a destination in the BGP process works fine, but any TCP traffic hangs awaiting a SYN/ACK.

 

I need to prove that the router is routing the packet toward the egress interface and that the packet is leaving the router. I was wondering if there were any debug commands that I can restrict to a particular host IP so that it does not bring the router down.

I know about Embedded Packet Capture, but unfortunately the IOS-XE version that I am running is not new enough so we do not have EPC on our ASR.

I appreciate that I have given only limited information.

Any advice appreciated.

 

Thanks

Mario

Labels:
0 Helpful
4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

‎05-27-2014 07:26 AM

Mario

If you don't want to risk debug then i always used a basic but pretty reliable method ie. acls.

If you create an extended acl with the first line allowing the source IP of the host to any and then a second line with a "permit ip any any" and then apply it outbound to the egress interface it should show if the packets are being routed correctly and sent on towards the destination. 

Obviously the "permit ip any any" line is very important smiley

Edit - i haven't used the ASRs so it is possible they process all their acls in hardware in which case the hits may not show as they don't always on L3 switches that process acls in hardware.

So bear that in mind.

Jon

0 Helpful

marioderosa2008
Level 1
Level 1
In response to Jon Marshall

‎05-27-2014 07:34 AM

thanks John, good idea about the ACL. I just need to get it right so that I know it is certain TCP traffic that is being routed correctly.

I know that if pings work, then routing should not be the issue on our router. A traceroute from both the source and destination shows that packets are traversing the correct path.

I should be able to write the ACL specific to destination port number shouldn't I which would then confirm that the TCP packets are not being dropped by my router?

Thanks

Mario

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to marioderosa2008

‎05-27-2014 07:50 AM

Mario

Yes, your acl can match any specfic ports you need to check for.

As i mentioned in my edit though it may or may not work depending on how the ASR processes the acls but it is worth a try.

If it is routing the packets correctly but TCP still fails then obviously check for acls, firewalls etc. in the path.

Jon

0 Helpful

marioderosa2008
Level 1
Level 1
In response to Jon Marshall

‎06-02-2014 03:07 AM

Hi Jon,

 

if I see hits on the ACL matching specific TCP ports, does that mean that the packet actually left the router interface and was placed on the wire?

Would any other features drop the packet like QoS or Interface Buffers etc? Although when i look at the interface counters there are no output queue drops at all so I am pretty confident the packets are leaving the router.

Thanks

Mario

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card