cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
431
Views
0
Helpful
4
Replies

ACL issues with icmp

vladrac-ccna
Level 5
Level 5

Hello everyone,

I'd like to know if any of you guys ever seen an output like

ping x.x.x.x

!U!.!

OR

U!.!U

pinging from a connected device with 2 load balanced path to destination I get:

router-core-a>ping 10.8.155.195

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.8.155.195, timeout is 2 seconds:

!U!.!

debuging on the destination

router-distribution-a#

Mar 8 22:34:28.931 GMT-3: ICMP: echo reply sent, src 10.8.155.195, dst 10.23.192.33

Mar 8 22:34:28.963 GMT-3: %SEC-6-IPACCESSLOGDP: list block denied icmp 10.23.192.37 (GigabitEthernet6/5) -> 10.8.155.195 (0/0), 1 packet

Mar 8 22:34:28.963 GMT-3: ICMP: dst (10.8.155.195) administratively prohibited unreachable sent to 10.23.192.37

Mar 8 22:34:28.971 GMT-3: ICMP: echo reply sent, src 10.8.155.195, dst 10.23.192.33

Mar 8 22:34:30.971 GMT-3: ICMP: echo reply sent, src 10.8.155.195, dst 10.23.192.33

which indicate that 3 of the packets came from direct link and were not block by the ACL

and the other 2 were blocked by an ACL as they came from the other link (with the ACL set as in).

My question is, why sometimes I see the U and sometimes I see the dot . ?

And just for confirmation:

From core I got !U!.!

but from the debug it should be something like !.U!!

This is difference is happening because the packets are filtred by the ACL and it is taking a longer path to reach this destination so longer time, this is why the response I get on the core router differ from the output from the debug, right?

Any suggestions?

1 Accepted Solution

Accepted Solutions

Hi Vlad,

One very plausible reason for this could be the use of ICMP unreachable message rate-limiting. The default on Cisco routers is one ICMP destination unreachable message per 500 ms. In your case, that means that the ones appearing with a '.' have been dropped due to rate-limiting.

Hope that helps - pls rate the post if it does.

Paresh

View solution in original post

4 Replies 4

pkhatri
Level 11
Level 11

Yes, I would have to agree that this is the case... The fact that some of the packets time out simply means that you did not get a response in time. It might be interesting to repeat the test with a larger timeout.

Paresh

Hello Paresh, thank you for sharing.

But actually I believe the . come with the ACL blocking as well, I dont understand is why I get different responses U and .

why the switch sometimes responde with the unreachable and sometimes not?

Mar 8 22:34:28.963 GMT-3: %SEC-6-IPACCESSLOGDP: list block denied icmp 10.23.192.37 (GigabitEthernet6/5) -> 10.8.155.195 (0/0), 1 packet

Mar 8 22:34:28.963 GMT-3: ICMP: dst (10.8.155.195) administratively prohibited unreachable sent to 10.23.192.37

Vlad

Hi Vlad,

One very plausible reason for this could be the use of ICMP unreachable message rate-limiting. The default on Cisco routers is one ICMP destination unreachable message per 500 ms. In your case, that means that the ones appearing with a '.' have been dropped due to rate-limiting.

Hope that helps - pls rate the post if it does.

Paresh

Hey Paresh,

Really appreciate this info, I'd never heard of it before. Really awesome.

Got on the following link:

http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a00804ada38.html#wp1047544

Vlad

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: