ACE - Traceroute showing same IP for each hop
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-12-2009 10:59 PM
I'm having problems with traceroute on my servers sitting behind our ACE module. The module is in routed mode and is performing all NAT to the Internet.
When I try to traceroute to any external IP, each hops answer has the same IP address (final destination IP).
Servers not behind the ACE do not have this problem.
I've turned ICMP-Guard off and opened ICMP up on every interface with an permit icmp any any ACL.
Any help would be appreciated.
- Labels:
-
Application Networking
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-17-2009 12:27 AM
Hi,
you need to configure ICMP inspection to fix this behavior. I will have a look at my config and paste an example once i am back in the office. But yes you can get rid of it. :)
Roble
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-17-2009 04:55 AM
You have to configure...
!-ACL defining ICMP-
access-list ICMP line 10 extended permit icmp any any
!-Class Map referencing ACL-
class-map match-all ICMP-INSPECT-L4CLASS
description ICMP fixup - L4 Class
2 match access-list ICMP
!-LB Policy which is applied on your client side vlan.
!-Add the class statement and switch on imcp inspection
policy-map multi-match L4-SLB-POLICY
class ICMP-INSPECT-L4CLASS
inspect icmp error
!-Client Side VLAN-
!-Apply the service police otherwise use your existing policy-
interface vlan 3104
service-policy input L4-SLB-POLICY
Hope it helps
Roble
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-10-2009 08:03 AM
Hmmm, funny thing. I had the same problem. Looked every where to find a solution, and then came here before opening a TAC. Going to try out the solution given above in a couple of days after the weekend. AW, thanks a lot for sharing the experience.
Any idea why the ACE modify the source ip of the "TTL expired in transit" packets when traversing through it ????
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-12-2009 08:06 PM
has anyone else had this problem ? I would like to find out the reason behind this
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-13-2009 09:49 PM
I tried this solution but it didn't work. Then i issued a "show access-list ICMP"
and the ACE says that the status of the ICMP access-list is "not active"
Attached is my config. Can some one help me debug this pls
Din
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-13-2013 07:04 AM
I know you first dealt with this years ago but I have just experienced it for the first time with an ACE30 running 5.2.1 code. Your solution fixed the issue but I am curious if you ever discovered why it is happening. I am working with Cisco currently but they have failed to provide a reasonable explanantion as to why this happens with the ACE module.
Thanks
Tony

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-14-2013 09:49 PM
Hi All,
Could you provide an output showing exactly you guys mean?
Jorge
