Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Traceroute request timed out - why?

Hello,

I have a traceroute that goes through an SVI that seems to (9 times out of 10) provide request time outs. No packet loss is seen for pings to the end device, but the traceroute shows losses...

traceroute 10.4.173.6:

1     <1ms     <1ms     <1ms     10.5.61.253

2     *          *          *               Request timed out.

3     <1ms     <1ms     <1ms     10.4.112.243

4     <1ms     <1ms     <1ms     10.5.3.190

5     <1ms     <1ms     <1ms     10.4.173.6

Between hop 1 and 2 is a firewall who's next hop points to a 3750 switch (10.4.112.254) which is hop 2 and shows the 'drops'. Its config that the firewall points to is:

interface Vlan900
description Firewall_Comms
ip address 10.4.112.247 255.255.255.0
no ip redirects
standby 4 ip 10.4.112.254
standby 4 priority 160
standby 4 preempt

the 3750 only has a single route to 10.4.173.6:

PPFX_X37_274#sh ip ro 10.4.173.6
Routing entry for 10.4.173.0/24
  Known via "ospf 1", distance 110, metric 201, type inter area
  Last update from 10.4.112.243 on Vlan900, 2d00h ago
  Routing Descriptor Blocks:
  * 10.4.112.243, from 10.4.238.201, 2d00h ago, via Vlan900
      Route metric is 201, traffic share count is 1

this doesn't seem to cause any problems, but I'm curious as to why this shows time outs...

Any ideas?

Thanks

Phil

3 REPLIES

Re: Traceroute request timed out - why?

Phil,

The firewall is a security appliance and will not usually respond to a traceroute.  This is to ensure that someone from the outside cannot find the address of the device and breech your network.  This is disabled by default and if you want this to work you will need to enable it.

I hope this helps and please let us know if you have any further questions.

Kimberly

Thanks and Cheers! Kimberly Please remember to rate helpful posts.
New Member

Re: Traceroute request timed out - why?

Check to make sure that your firewall is allowing traceroute.  IF you have an ASA, make sure ICMP inspection is on. If you dont have an ASA. Make sure you are allowing the following,

access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench 
access-list 101 permit icmp any any unreachable  
access-list 101 permit icmp any any time-exceeded

New Member

Re: Traceroute request timed out - why?

The firewall is not blocking traceroutes and no access-lists are blocking ICMP on

the layer-3 switch.....

Sometimes the trace works, sometimes (most times) it doesn't....

thanks

Phil

2431
Views
0
Helpful
3
Replies
CreatePlease login to create content