Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1235
Views
0
Helpful
2
Replies

ICMP inspection

Amadou TOURE
Level 1
Level 1

‎06-07-2013 06:45 AM

Hello,

I configured icmp inspection on the ACE module [system:Version A2(3.3) [build 3.0(0)A2(3.3)] but I'm not able to see any packets in counters with show service-policy name, all counters are empty. How would I see if icmp packet inspection is operational and show stats.

thanks

ACE-1/non-prod#   sh service-policy ICMP_INSPECT_POLICY

Status     : ACTIVE

-----------------------------------------

Interface: vlan 65

  service-policy: ICMP_INSPECT_POLICY

    class: ICMP_INSPECT_CLASS

      inspect icmp:

        icmp error: DISABLED

        curr conns       : 0         , hit count        : 0        

        dropped conns    : 0        

        client pkt count : 0         , client byte count: 0                  

        server pkt count : 0         , server byte count: 0                  

        conn-rate-limit      : 0         , drop-count : 0        

        bandwidth-rate-limit : 0         , drop-count : 0

config :

access-list icmp line 8 extended permit icmp any any

access-list ANYONE line 1 extended permit ip any any

class-map match-any ICMP_INSPECT_CLASS

  description Class for ICMP Inspection

  2 match access-list icmp

policy-map multi-match ICMP_INSPECT_POLICY

  class ICMP_INSPECT_CLASS

    inspect icmp

interface vlan 65

  ip address 172.16.128.8 255.255.255.0

  mac-sticky enable

  access-group input ANYONE

  access-group output ANYONE

  nat-pool 1 172.16.128.252 172.16.128.254 netmask 255.255.255.255 pat

  service-policy input VIPS

  service-policy input REMOTE_MGMT_POLICY

  service-policy input ICMP_INSPECT_POLICY

  no shutdown


Labels:
0 Helpful
2 Replies 2

Jorge Bejarano
Level 4
Level 4

‎06-08-2013 08:46 AM

Amadou,

What about if you include the ACL line under the interface VLAN 65?

interface vlan 65

  ip address 172.16.128.8 255.255.255.0

  mac-sticky enable

  access-group input ANYONE 

  access-group output ANYONE

  access-group input icmp --------------> include this!

  nat-pool 1 172.16.128.252 172.16.128.254 netmask 255.255.255.255 pat

  service-policy input VIPS

  service-policy input REMOTE_MGMT_POLICY

  service-policy input ICMP_INSPECT_POLICY

   no shutdown

Please try that and then upload these outputs:

#   sh service-policy ICMP_INSPECT_POLICY

#   sh service-policy VIPS -----------> just to see if your ACE is receiving traffic

After that I may try with;

interface vlan 65

no normalization ---> this line!

Jorge

0 Helpful

Amadou TOURE
Level 1
Level 1
In response to Jorge Bejarano

‎06-10-2013 06:23 AM

Hello Jorge,

thanks for your reply...to clarify a bit, from a client PC I can ping servers and VIPs but I want to have stats on ICMP inspect to be sure that ICMP packets are being inspected.

the command show conn | in ICMP shows ICMP sessions even if icmp inspection and icmp-guard are not applied on the interface.

the line "access-group input icmp" does not apply on interface because access-list ANYONE is already applied (Error: An access-list of the same type has been already activated on the interface).

I applied also the "no normalization" but the output for ICMP_INSPECT and VIPS policies are still  the same

here they are :


ACE-1/non-prod# show service-policy VIPS

Status     : ACTIVE

-----------------------------------------

Interface: vlan 65

  service-policy: VIPS

    class: MAX_L4VIP_HTTP

      loadbalance:

        L7 loadbalance policy: REDIRECT_L7PLB_HTTP

        VIP Route Metric     : 77

        VIP Route Advertise  : ENABLED-WHEN-ACTIVE

        VIP ICMP Reply       : ENABLED-WHEN-ACTIVE

        VIP State: INSERVICE

        curr conns       : 0         , hit count        : 0        

        dropped conns    : 0        

        client pkt count : 0         , client byte count: 0                  

        server pkt count : 0         , server byte count: 0                  

        conn-rate-limit      : 0         , drop-count : 0        

        bandwidth-rate-limit : 0         , drop-count : 0        

    class: MAX_L4VIP_HTTPS

      ssl-proxy server: MAX_SSL_PROXY_SERVER

      nat:

        nat dynamic 1 vlan 65

        curr conns       : 0         , hit count        : 0        

        dropped conns    : 0        

        client pkt count : 0         , client byte count: 0                  

        server pkt count : 0         , server byte count: 0                  

        conn-rate-limit      : 0         , drop-count : 0        

        bandwidth-rate-limit : 0         , drop-count : 0        

      loadbalance:

        L7 loadbalance policy: MAX_L7PLB_HTTPS

        Regex dnld status    : SUCCESSFUL

        VIP Route Metric     : 77

        VIP Route Advertise  : ENABLED-WHEN-ACTIVE

        VIP ICMP Reply       : ENABLED-WHEN-ACTIVE

        VIP State: INSERVICE

        curr conns       : 0         , hit count        : 4        

        dropped conns    : 0        

        client pkt count : 34        , client byte count: 4129               

        server pkt count : 9         , server byte count: 1928               

        conn-rate-limit      : 0         , drop-count : 0        

        bandwidth-rate-limit : 0         , drop-count : 0        

        Parameter-map(s):

          HTTP_PARAM_MAP

    class: class-default

        Parameter-map(s):

          TCP_PARAM_MAP

ACE-1/non-prod#

ACE-1/non-prod# sh service-policy ICMP_INSPECT_POLICY

Status     : ACTIVE

-----------------------------------------

Interface: vlan 65

  service-policy: ICMP_INSPECT_POLICY

    class: ICMP_INSPECT_CLASS

      inspect icmp:

        icmp error: DISABLED

        curr conns       : 0         , hit count        : 0        

        dropped conns    : 0        

        client pkt count : 0         , client byte count: 0                  

        server pkt count : 0         , server byte count: 0                  

        conn-rate-limit      : 0         , drop-count : 0        

        bandwidth-rate-limit : 0         , drop-count : 0        

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card