Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Debug packet command not displaying icmp return traffic from traceroute

Hi,

I have tried to initiate a traceroute from one router behind my PIX 6.3 to another router somewhere in the outside. When I use "debug packet inside" there was display but when I tried to use on the "outside" interface I cannot see the debug output. I have tried many combinations of src and dst address but still no outputs. HEre is the ACL from the config:

access-list inside permit icmp any any

access-list inside permit ip any any

access-list outside permit icmp any any

access-group inside in interface inside

access-group outside in interface outside

Regards,

Lorenz

8 REPLIES
Silver

Re: Debug packet command not displaying icmp return traffic from

Lorenz,

Can you tell us please what debug command you are using on the outside interface?

tia,

Ajaz Nawaz

Silver

Re: Debug packet command not displaying icmp return traffic from

Lorenz,

I suspect you are using 'debug packet outside'.

Traceroute is using ICMP as you know so you must issue the command:

debug icmp trace

Hope this helps

Ajaz Nawaz

please rate useful posts

New Member

Re: Debug packet command not displaying icmp return traffic from

Hi Ajaz,

I have tried that also before but no expected ICMP message output displayed. I have tried it again. Please see the information below:

~~~~~~~~~~~~~~~~~

On the PIX:

PIX(config)# show debug

debug icmp trace

PIX(config)# 111009: User 'enable_15' executed cmd: show debug

PIX(config)# 302015: Built outbound UDP connection 23 for outside:10.50.13.1/33434 (10.50.13.1/33434) to inside:10.10.6.2/33123 (10.50.31.22/33123)

302015: Built outbound UDP connection 24 for outside:10.50.13.1/33435 (10.50.13.1/33435) to inside:10.10.6.2/36853 (10.50.31.22/36853)

302015: Built outbound UDP connection 25 for outside:10.50.13.1/33436 (10.50.13.1/33436) to inside:10.10.6.2/38225 (10.50.31.22/38225)

302015: Built outbound UDP connection 26 for outside:10.50.13.1/33437 (10.50.13.1/33437) to inside:10.10.6.2/41722 (10.50.31.22/41722)

302015: Built outbound UDP connection 27 for outside:10.50.13.1/33438 (10.50.13.1/33438) to inside:10.10.6.2/41954 (10.50.31.22/41954)

302015: Built outbound UDP connection 28 for outside:10.50.13.1/33439 (10.50.13.1/33439) to inside:10.10.6.2/35614 (10.50.31.22/35614)

~~~~~~~~~~~~~~~~~~~~~~~~~

ON the Router:

R6-FRSW#traceroute 10.50.13.1

Type escape sequence to abort.

Tracing the route to 10.50.13.1

1 10.50.31.2 8 msec 4 msec 4 msec

2 10.50.13.1 36 msec * 36 msec

R6-FRSW#

Regards,

Lorenz

Silver

Re: Debug packet command not displaying icmp return traffic from

Lorenz,

Is there any chance please you can share the configuration with us in terms of NAT etc.

I would also like to request the exact debug commands you are executing with all the relevant IP addresses.

thanks in advance

Ajaz Nawaz

New Member

Re: Debug packet command not displaying icmp return traffic from

Hi Ajaz,

Here are the debug command I put:

debug packet outside src 10.50.13.1 netmask 255.255.255.255 dst 10.50.31.22 proto icmp

debug icmp trace

Note: The 10.50.13.1 is two (2) hops away.

The following is my NAT commands:

PIX(config)# sh nat

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

PIX(config)# sh global

global (outside) 1 interface

PIX(config)# sh static

static (inside,outside) 10.50.31.22 10.10.6.2 netmask 255.255.255.255 0 0

static (inside,outside) 16.16.16.16 16.16.16.16 netmask 255.255.255.255 0 0

static (inside,outside) 166.166.166.166 166.166.166.166 netmask 255.255.255.255 0 0

static (inside,outside) 10.50.31.60 192.168.6.60 netmask 255.255.255.255 0 0

static (inside,outside) 10.50.31.65 192.168.6.65 netmask 255.255.255.255 0 0

static (inside,outside) 10.50.31.6 192.168.6.6 netmask 255.255.255.255 0 0

static (inside,outside) 10.50.31.99 192.168.6.99 netmask 255.255.255.255 0 0

PIX(config)#

As you might notice, I have taken these from Yusuff's Practice Labs scenario. I am trying to recreate it and doing some debugs to check whether the ICMP return message from the Traceroute is coming to my PIX interface. but unfortunately I do not see such ICMP message pertaining to the traceroute.

Regards,

Lorenz

Silver

Re: Debug packet command not displaying icmp return traffic from

Lorenz

I'm afraid I do not have access to Yusuff's book.

The below debug states a dst IP address (10.50.31.22) that is also defined as a static on the PIX why?

We need to verify why this is and the associated access-lists. We also need to ascertain if the outbound packet uses the global or no-nat access-list hence we need all or more of the config.

If possible please supply full config of the PIX.

Theory:

The debug used below will not pick up the ICMP packet trace if the src is NAT?ed to the global 1 (interface address) as the reply from the dst host will be back to the interface address.

We can investigate this further if we have more of the config.

Note: Possible issues for ?Debug ICMP trace? because of static configured on PIX

bye for now,

Ajaz Nawaz

New Member

Re: Debug packet command not displaying icmp return traffic from

Hi Ajaz,

Whew! I finally got hold of the truth. It was some routing misconfiguration on the next hop router of the PIX. There was no problem with the PIX. The 10.50.31.2 router was not properly redistributing subnets information to the OSPF network thereby not giving the destination router 10.50.13.1 the proper route back. This gives me the timeouts all the time. Now I can get the ICMP Type 3 Code 3 from the 10.50.13.1.

Here are the outputs:

PIX(config)# --------- PACKET ---------

-- IP --

10.50.13.1 ==> 10.50.31.22

ver = 0x4 hlen = 0x5 tos = 0xc0 tlen = 0x38

id = 0xf38 flags = 0x0 frag off=0x0

ttl = 0xfe proto=0x1 chksum = 0x6c52

-- ICMP --

type = 0x3 code = 0x3 checksum=0x3d91

identifier = 0x0 seq = 0x0

-- DATA --

00000010: 45 00 00 1c | E...

00000020: 21 1b 00 00 01 11 58 3c 0a 32 1f 16 0a 32 0d 01 | !.....X<.2...2..

00000030: 83 ff 82 9d 00 08 b8 c6 02 | .........

--------- END OF PACKET ---------

--------- PACKET ---------

-- IP --

10.50.13.1 ==> 10.50.31.22

ver = 0x4 hlen = 0x5 tos = 0xc0 tlen = 0x38

id = 0xf39 flags = 0x0 frag off=0x0

ttl = 0xfe proto=0x1 chksum = 0x6c51

-- ICMP --

type = 0x3 code = 0x3 checksum=0x3d91

identifier = 0x0 seq = 0x0

-- DATA --

00000010: 45 00 00 1c | E...

00000020: 21 21 00 00 01 11 58 36 0a 32 1f 16 0a 32 0d 01 | !!....X6.2...2..

00000030: 85 c2 82 9f 00 08 b7 01 00 | .........

--------- END OF PACKET ---------

Thanks anyways for the theory that you gave previously. The NAT to the interface is not connected with the IP source address used in the traceroute because the Router behind the PIX uses a static NAT (to 10.50.31.22).

PS: Thanks for giving me your time. Hope to interact with you sometime again!

Regards,

Lorenz

New Member

Re: Debug packet command not displaying icmp return traffic from

Lorenz,

I trust you have a xlate for your traffic. You won't get "debug pack outside" output unless traffic is hitting (leaving or entering - doesn't matter if it is being dropped) that 'outside' interface.

If you're gretting no output check your logs for;

"%PIX-3-305005: No translation group found for .." messages.

let me know how it goes.

Regards,

Mike

1711
Views
0
Helpful
8
Replies