Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ACL issues with icmp

Hello everyone,

I'd like to know if any of you guys ever seen an output like

ping x.x.x.x

!U!.!

OR

U!.!U

pinging from a connected device with 2 load balanced path to destination I get:

router-core-a>ping 10.8.155.195

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.8.155.195, timeout is 2 seconds:

!U!.!

debuging on the destination

router-distribution-a#

Mar 8 22:34:28.931 GMT-3: ICMP: echo reply sent, src 10.8.155.195, dst 10.23.192.33

Mar 8 22:34:28.963 GMT-3: %SEC-6-IPACCESSLOGDP: list block denied icmp 10.23.192.37 (GigabitEthernet6/5) -> 10.8.155.195 (0/0), 1 packet

Mar 8 22:34:28.963 GMT-3: ICMP: dst (10.8.155.195) administratively prohibited unreachable sent to 10.23.192.37

Mar 8 22:34:28.971 GMT-3: ICMP: echo reply sent, src 10.8.155.195, dst 10.23.192.33

Mar 8 22:34:30.971 GMT-3: ICMP: echo reply sent, src 10.8.155.195, dst 10.23.192.33

which indicate that 3 of the packets came from direct link and were not block by the ACL

and the other 2 were blocked by an ACL as they came from the other link (with the ACL set as in).

My question is, why sometimes I see the U and sometimes I see the dot . ?

And just for confirmation:

From core I got !U!.!

but from the debug it should be something like !.U!!

This is difference is happening because the packets are filtred by the ACL and it is taking a longer path to reach this destination so longer time, this is why the response I get on the core router differ from the output from the debug, right?

Any suggestions?

1 ACCEPTED SOLUTION

Accepted Solutions
Purple

Re: ACL issues with icmp

Hi Vlad,

One very plausible reason for this could be the use of ICMP unreachable message rate-limiting. The default on Cisco routers is one ICMP destination unreachable message per 500 ms. In your case, that means that the ones appearing with a '.' have been dropped due to rate-limiting.

Hope that helps - pls rate the post if it does.

Paresh

4 REPLIES
Purple

Re: ACL issues with icmp

Yes, I would have to agree that this is the case... The fact that some of the packets time out simply means that you did not get a response in time. It might be interesting to repeat the test with a larger timeout.

Paresh

Re: ACL issues with icmp

Hello Paresh, thank you for sharing.

But actually I believe the . come with the ACL blocking as well, I dont understand is why I get different responses U and .

why the switch sometimes responde with the unreachable and sometimes not?

Mar 8 22:34:28.963 GMT-3: %SEC-6-IPACCESSLOGDP: list block denied icmp 10.23.192.37 (GigabitEthernet6/5) -> 10.8.155.195 (0/0), 1 packet

Mar 8 22:34:28.963 GMT-3: ICMP: dst (10.8.155.195) administratively prohibited unreachable sent to 10.23.192.37

Vlad

Purple

Re: ACL issues with icmp

Hi Vlad,

One very plausible reason for this could be the use of ICMP unreachable message rate-limiting. The default on Cisco routers is one ICMP destination unreachable message per 500 ms. In your case, that means that the ones appearing with a '.' have been dropped due to rate-limiting.

Hope that helps - pls rate the post if it does.

Paresh

Re: ACL issues with icmp

Hey Paresh,

Really appreciate this info, I'd never heard of it before. Really awesome.

Got on the following link:

http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a00804ada38.html#wp1047544

Vlad

240
Views
0
Helpful
4
Replies