topic trace route to ISE interface in Network Access Control

trace route to ISE interface

benbroadfoot — Mon, 30 Jan 2023 22:37:23 GMT

Hi there,

I am attempting to do a trace route from a switch to an interface I have on a my ISE server however it is getting blocked. Does ISE (v2.6.0.156) have some sort of firewall that could be blocking the trace attempt?

Thanks!

Re: trace route to ISE interface

MHM Cisco World — Mon, 30 Jan 2023 23:59:11 GMT

first try ping,
are ping success ?

Re: trace route to ISE interface

benbroadfoot — Tue, 31 Jan 2023 00:19:04 GMT

yes it pings fine, just stops on tracert - see png

Re: trace route to ISE interface

Marcelo Morais — Tue, 31 Jan 2023 01:43:25 GMT

Hi @benbroadfoot ,

about " ... have some sort of firewall that could be blocking the trace attempt... " ... at CLI, use the following command and search for iptables:

ise/admin# show tech-support
...
*****************************************
Running iptables -nvL...
*****************************************
...

Note: I'm able to traceroute an ISE on version 2.7.

Hope this helps !!

Re: trace route to ISE interface

benbroadfoot — Tue, 31 Jan 2023 04:02:37 GMT

Thanks for the info @Marcelo Morais!

I have attached a screen shot of the start of the iptables section of the tech-support - what am I looking for exactly?

Re: trace route to ISE interface

Marcelo Morais — Tue, 31 Jan 2023 13:46:07 GMT

Hi @benbroadfoot ,

the iptables looks fine !!!

Please try the following two options:

1. If you have another ISE Node, try to traceroute from Node 2 to Node 1:

iseNode2/admin# traceroute <IP Addr of iseNode1>
traceroute to <IP Addr of iseNode1> (<IP Addr of iseNode1>), 30 hops max, 60 byte packets
1 <IP Addr of iseNode1> 0.469 ms 0.450 ms 0.449 ms

2. try to traceroute from your PC to Node 1 (using the following command) to check if the packet arrives at Node 1:

iseNode1/admin# tech dumptcp 0 | inc ICMP

10:35:05.130657 IP (tos 0x48, ttl 1, id 61535, offset 0, flags [none], proto ICMP (1), length 92)
<your PC IP Addr> > <IP Addr oof iseNode1>: ICMP echo request, id 1, seq 255, length 72

Hope this helps !!!

Re: trace route to ISE interface

MHM Cisco World — Tue, 31 Jan 2023 15:00:26 GMT

friend use traceroute with source IP
source IP is the IP you add to ISE for router/SW

Re: trace route to ISE interface

benbroadfoot — Tue, 31 Jan 2023 21:31:51 GMT

Thanks @Marcelo Morais not sure why I didn't try this initially! I AM able to tracert to the ISE interface from a PC so I'm guessing the issue isn't with ISE at all. Strange it will not allow me from a switch but will allow me from a PC?

Thanks again for your tips!

Re: trace route to ISE interface

Marcelo Morais — Wed, 01 Feb 2023 02:27:17 GMT

@benbroadfoot , glad to be of help !!!