03-12-2009 10:59 PM
I'm having problems with traceroute on my servers sitting behind our ACE module. The module is in routed mode and is performing all NAT to the Internet.
When I try to traceroute to any external IP, each hops answer has the same IP address (final destination IP).
Servers not behind the ACE do not have this problem.
I've turned ICMP-Guard off and opened ICMP up on every interface with an permit icmp any any ACL.
Any help would be appreciated.
03-17-2009 12:27 AM
Hi,
you need to configure ICMP inspection to fix this behavior. I will have a look at my config and paste an example once i am back in the office. But yes you can get rid of it. :)
Roble
03-17-2009 04:55 AM
You have to configure...
!-ACL defining ICMP-
access-list ICMP line 10 extended permit icmp any any
!-Class Map referencing ACL-
class-map match-all ICMP-INSPECT-L4CLASS
description ICMP fixup - L4 Class
2 match access-list ICMP
!-LB Policy which is applied on your client side vlan.
!-Add the class statement and switch on imcp inspection
policy-map multi-match L4-SLB-POLICY
class ICMP-INSPECT-L4CLASS
inspect icmp error
!-Client Side VLAN-
!-Apply the service police otherwise use your existing policy-
interface vlan 3104
service-policy input L4-SLB-POLICY
Hope it helps
Roble
07-10-2009 08:03 AM
Hmmm, funny thing. I had the same problem. Looked every where to find a solution, and then came here before opening a TAC. Going to try out the solution given above in a couple of days after the weekend. AW, thanks a lot for sharing the experience.
Any idea why the ACE modify the source ip of the "TTL expired in transit" packets when traversing through it ????
07-12-2009 08:06 PM
has anyone else had this problem ? I would like to find out the reason behind this
07-13-2009 09:49 PM
03-13-2013 07:04 AM
I know you first dealt with this years ago but I have just experienced it for the first time with an ACE30 running 5.2.1 code. Your solution fixed the issue but I am curious if you ever discovered why it is happening. I am working with Cisco currently but they have failed to provide a reasonable explanantion as to why this happens with the ACE module.
Thanks
Tony
03-14-2013 09:49 PM
Hi All,
Could you provide an output showing exactly you guys mean?
Jorge
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide