Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Traceroute request timed out - why?


I have a traceroute that goes through an SVI that seems to (9 times out of 10) provide request time outs. No packet loss is seen for pings to the end device, but the traceroute shows losses...


1     <1ms     <1ms     <1ms

2     *          *          *               Request timed out.

3     <1ms     <1ms     <1ms

4     <1ms     <1ms     <1ms

5     <1ms     <1ms     <1ms

Between hop 1 and 2 is a firewall who's next hop points to a 3750 switch ( which is hop 2 and shows the 'drops'. Its config that the firewall points to is:

interface Vlan900
description Firewall_Comms
ip address
no ip redirects
standby 4 ip
standby 4 priority 160
standby 4 preempt

the 3750 only has a single route to

PPFX_X37_274#sh ip ro
Routing entry for
  Known via "ospf 1", distance 110, metric 201, type inter area
  Last update from on Vlan900, 2d00h ago
  Routing Descriptor Blocks:
  *, from, 2d00h ago, via Vlan900
      Route metric is 201, traffic share count is 1

this doesn't seem to cause any problems, but I'm curious as to why this shows time outs...

Any ideas?




Re: Traceroute request timed out - why?


The firewall is a security appliance and will not usually respond to a traceroute.  This is to ensure that someone from the outside cannot find the address of the device and breech your network.  This is disabled by default and if you want this to work you will need to enable it.

I hope this helps and please let us know if you have any further questions.


Thanks and Cheers! Kimberly Please remember to rate helpful posts.
New Member

Re: Traceroute request timed out - why?

Check to make sure that your firewall is allowing traceroute.  IF you have an ASA, make sure ICMP inspection is on. If you dont have an ASA. Make sure you are allowing the following,

access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench 
access-list 101 permit icmp any any unreachable  
access-list 101 permit icmp any any time-exceeded

New Member

Re: Traceroute request timed out - why?

The firewall is not blocking traceroutes and no access-lists are blocking ICMP on

the layer-3 switch.....

Sometimes the trace works, sometimes (most times) it doesn't....



CreatePlease login to create content