Cisco Support Community

The traceroute command to a destination from a Cisco Catalyst switch fails while the ping command succeeds

Core issue

When the traceroute command is issued from a Cisco Catalyst switch or a Cisco router, the command uses User Datagram Protocol (UDP) packets. Since these datagrams try to access an invalid port at the destination host, ICMP port unreachable error messages are returned. These error messages indicate an unreachable port, and signal the traceroute that the program is finished. To reduce the impact of the port unreachable messages, these packets are rate-limited.  The UNIX traceroute feature is similar to the implementation of the traceroute command in Cisco switches and routers, as these devices also use UDP.

Microsoft Windows OS uses Internet Control Message Protocol (ICMP) instead of UDP. The packets are passed on hop by hop from the source to the destination with Time to Live (TTL). The packets expire at each hop to generate the ICMP port unreachable error message. When the packets with required TTL reach the destination router, since they are ICMP packets, an icmp-reply back to the source is generated. No rate-limiting is seen, and all packets are returned with a reply.


This situation is an expected behavior in Cisco switches and routers, caused by the ICMP unreachable rate limiter.

To modify the rate at which ICMP destination unreachable messages are generated, issue the ip icmp rate-limit unreachable command in global configuration mode. The default value is one ICMP destination unreachable message per 500 milliseconds.

For more information, refer to the ICMP Unreachables Rate Limitation section of Using the traceroute Command on Operating Systems.

Device connected to switch

Another Switch

External router