03-21-2011 07:04 AM - edited 03-04-2019 11:49 AM
Hi,
Can someone please shed some light onto what appears to be unexpected behaviour?
I am able to ping an ip address using a particular VLAN interface as the source and get a response, see below:
Core_Switch_6509#ping
Protocol [ip]:
Target IP address: 10.50.x.y
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.225.a.b
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.50.x.y, timeout is 2 seconds:
Packet sent with a source address of 10.225.a.b
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/16/16 ms
However when I try a traceroute to the same ip address using the same VLAN interface as source, it fails - again see below:
Core_Switch_6509#trace
Protocol [ip]:
Target IP address: 10.50.x.y
Source address: 10.225.a.b
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 10.50.x.y
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
etc etc (no reponses whatsoever)...
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
Setting the source to another VLAN interface - policy routed differently - suceeds on both ping and trace which is what I was expecting to see on the above VLAN source - that is, either BOTH succeed or BOTH fail (I actually expected both to fail since I'm told that there's a firewall inbetween set to deny ICMP).
So my question is - if ICMP works for ping why doesn't it work for traceroute? Or is some intermediate device responding to the ping packet and leading me astray.... And if so, is there a method of discovering what that device might be without debugging what is a core live device?
Can someone please explain?! Many thanks.
Solved! Go to Solution.
03-21-2011 07:14 AM
traceroute from a cisco device uses UDP, not ICMP. verify the FW allows UDP from the source/destination VLAN you are trying to reach.
http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_tech_note09186a00800a6057.shtml
Regards,
Edison
03-21-2011 07:14 AM
traceroute from a cisco device uses UDP, not ICMP. verify the FW allows UDP from the source/destination VLAN you are trying to reach.
http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_tech_note09186a00800a6057.shtml
Regards,
Edison
03-21-2011 07:39 AM
Thanks Edison, that makes perfect sense! I'll have a word with the FW guys.
Thanks once again!
Simon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide