Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PING works, TRACE doesn't...

Hi,

Can someone please shed some light onto what appears to be unexpected behaviour?

I am able to ping an ip address using a particular VLAN interface as the source and get a response, see below:

Core_Switch_6509#ping
Protocol [ip]:
Target IP address: 10.50.x.y
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.225.a.b
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.50.x.y, timeout is 2 seconds:
Packet sent with a source address of 10.225.a.b
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/16/16 ms

However when I try a traceroute to the same ip address using the same VLAN interface as source, it fails - again see below:


Core_Switch_6509#trace
Protocol [ip]:
Target IP address: 10.50.x.y
Source address: 10.225.a.b
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 10.50.x.y

  1  *  *  *
   2  *  *  *
   3  *  *  *
   4  *  *  *
   5  *  *  *

etc etc (no reponses whatsoever)...

25  *  *  *
  26  *  *  *
  27  *  *  *
  28  *  *  *
  29  *  *  *
  30  *  *  *

Setting the source to another VLAN interface - policy routed differently - suceeds on both ping and trace which is what I was expecting to see on the above VLAN source - that is, either BOTH succeed or BOTH fail (I actually expected both to fail since I'm told that there's a firewall inbetween set to deny ICMP).

So my question is - if ICMP works for ping why doesn't it work for traceroute?  Or is some intermediate device responding to the ping packet and leading me astray.... And if so, is there a method of discovering what that device might be without debugging what is a core live device?

Can someone please explain?!  Many thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Bronze

Re: PING works, TRACE doesn't...

traceroute from a cisco device uses UDP, not ICMP. verify the FW allows UDP from the source/destination VLAN you are trying to reach.

http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_tech_note09186a00800a6057.shtml

Regards,

Edison

2 REPLIES
Hall of Fame Super Bronze

Re: PING works, TRACE doesn't...

traceroute from a cisco device uses UDP, not ICMP. verify the FW allows UDP from the source/destination VLAN you are trying to reach.

http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_tech_note09186a00800a6057.shtml

Regards,

Edison

New Member

Re: PING works, TRACE doesn't...

Thanks Edison, that makes perfect sense!  I'll have a word with the FW guys.

Thanks once again!

Simon

1538
Views
0
Helpful
2
Replies