03-08-2006 05:46 PM - edited 03-03-2019 02:11 AM
Hello everyone,
I'd like to know if any of you guys ever seen an output like
ping x.x.x.x
!U!.!
OR
U!.!U
pinging from a connected device with 2 load balanced path to destination I get:
router-core-a>ping 10.8.155.195
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.8.155.195, timeout is 2 seconds:
!U!.!
debuging on the destination
router-distribution-a#
Mar 8 22:34:28.931 GMT-3: ICMP: echo reply sent, src 10.8.155.195, dst 10.23.192.33
Mar 8 22:34:28.963 GMT-3: %SEC-6-IPACCESSLOGDP: list block denied icmp 10.23.192.37 (GigabitEthernet6/5) -> 10.8.155.195 (0/0), 1 packet
Mar 8 22:34:28.963 GMT-3: ICMP: dst (10.8.155.195) administratively prohibited unreachable sent to 10.23.192.37
Mar 8 22:34:28.971 GMT-3: ICMP: echo reply sent, src 10.8.155.195, dst 10.23.192.33
Mar 8 22:34:30.971 GMT-3: ICMP: echo reply sent, src 10.8.155.195, dst 10.23.192.33
which indicate that 3 of the packets came from direct link and were not block by the ACL
and the other 2 were blocked by an ACL as they came from the other link (with the ACL set as in).
My question is, why sometimes I see the U and sometimes I see the dot . ?
And just for confirmation:
From core I got !U!.!
but from the debug it should be something like !.U!!
This is difference is happening because the packets are filtred by the ACL and it is taking a longer path to reach this destination so longer time, this is why the response I get on the core router differ from the output from the debug, right?
Any suggestions?
Solved! Go to Solution.
03-08-2006 06:32 PM
Hi Vlad,
One very plausible reason for this could be the use of ICMP unreachable message rate-limiting. The default on Cisco routers is one ICMP destination unreachable message per 500 ms. In your case, that means that the ones appearing with a '.' have been dropped due to rate-limiting.
Hope that helps - pls rate the post if it does.
Paresh
03-08-2006 05:50 PM
Yes, I would have to agree that this is the case... The fact that some of the packets time out simply means that you did not get a response in time. It might be interesting to repeat the test with a larger timeout.
Paresh
03-08-2006 06:26 PM
Hello Paresh, thank you for sharing.
But actually I believe the . come with the ACL blocking as well, I dont understand is why I get different responses U and .
why the switch sometimes responde with the unreachable and sometimes not?
Mar 8 22:34:28.963 GMT-3: %SEC-6-IPACCESSLOGDP: list block denied icmp 10.23.192.37 (GigabitEthernet6/5) -> 10.8.155.195 (0/0), 1 packet
Mar 8 22:34:28.963 GMT-3: ICMP: dst (10.8.155.195) administratively prohibited unreachable sent to 10.23.192.37
Vlad
03-08-2006 06:32 PM
Hi Vlad,
One very plausible reason for this could be the use of ICMP unreachable message rate-limiting. The default on Cisco routers is one ICMP destination unreachable message per 500 ms. In your case, that means that the ones appearing with a '.' have been dropped due to rate-limiting.
Hope that helps - pls rate the post if it does.
Paresh
03-09-2006 02:06 PM
Hey Paresh,
Really appreciate this info, I'd never heard of it before. Really awesome.
Got on the following link:
http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a00804ada38.html#wp1047544
Vlad
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: