06-07-2013 06:45 AM
Hello,
I configured icmp inspection on the ACE module [system:Version A2(3.3) [build 3.0(0)A2(3.3)] but I'm not able to see any packets in counters with show service-policy name, all counters are empty. How would I see if icmp packet inspection is operational and show stats.
thanks
ACE-1/non-prod# sh service-policy ICMP_INSPECT_POLICY
Status : ACTIVE
-----------------------------------------
Interface: vlan 65
service-policy: ICMP_INSPECT_POLICY
class: ICMP_INSPECT_CLASS
inspect icmp:
icmp error: DISABLED
curr conns : 0 , hit count : 0
dropped conns : 0
client pkt count : 0 , client byte count: 0
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
config :
access-list icmp line 8 extended permit icmp any any
access-list ANYONE line 1 extended permit ip any any
class-map match-any ICMP_INSPECT_CLASS
description Class for ICMP Inspection
2 match access-list icmp
policy-map multi-match ICMP_INSPECT_POLICY
class ICMP_INSPECT_CLASS
inspect icmp
interface vlan 65
ip address 172.16.128.8 255.255.255.0
mac-sticky enable
access-group input ANYONE
access-group output ANYONE
nat-pool 1 172.16.128.252 172.16.128.254 netmask 255.255.255.255 pat
service-policy input VIPS
service-policy input REMOTE_MGMT_POLICY
service-policy input ICMP_INSPECT_POLICY
no shutdown
06-08-2013 08:46 AM
Amadou,
What about if you include the ACL line under the interface VLAN 65?
interface vlan 65
ip address 172.16.128.8 255.255.255.0
mac-sticky enable
access-group input ANYONE
access-group output ANYONE
access-group input icmp --------------> include this!
nat-pool 1 172.16.128.252 172.16.128.254 netmask 255.255.255.255 pat
service-policy input VIPS
service-policy input REMOTE_MGMT_POLICY
service-policy input ICMP_INSPECT_POLICY
no shutdown
Please try that and then upload these outputs:
# sh service-policy ICMP_INSPECT_POLICY
# sh service-policy VIPS -----------> just to see if your ACE is receiving traffic
After that I may try with;
interface vlan 65
no normalization ---> this line!
Jorge
06-10-2013 06:23 AM
Hello Jorge,
thanks for your reply...to clarify a bit, from a client PC I can ping servers and VIPs but I want to have stats on ICMP inspect to be sure that ICMP packets are being inspected.
the command show conn | in ICMP shows ICMP sessions even if icmp inspection and icmp-guard are not applied on the interface.
the line "access-group input icmp" does not apply on interface because access-list ANYONE is already applied (Error: An access-list of the same type has been already activated on the interface).
I applied also the "no normalization" but the output for ICMP_INSPECT and VIPS policies are still the same
here they are :
ACE-1/non-prod# show service-policy VIPS
Status : ACTIVE
-----------------------------------------
Interface: vlan 65
service-policy: VIPS
class: MAX_L4VIP_HTTP
loadbalance:
L7 loadbalance policy: REDIRECT_L7PLB_HTTP
VIP Route Metric : 77
VIP Route Advertise : ENABLED-WHEN-ACTIVE
VIP ICMP Reply : ENABLED-WHEN-ACTIVE
VIP State: INSERVICE
curr conns : 0 , hit count : 0
dropped conns : 0
client pkt count : 0 , client byte count: 0
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
class: MAX_L4VIP_HTTPS
ssl-proxy server: MAX_SSL_PROXY_SERVER
nat:
nat dynamic 1 vlan 65
curr conns : 0 , hit count : 0
dropped conns : 0
client pkt count : 0 , client byte count: 0
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
loadbalance:
L7 loadbalance policy: MAX_L7PLB_HTTPS
Regex dnld status : SUCCESSFUL
VIP Route Metric : 77
VIP Route Advertise : ENABLED-WHEN-ACTIVE
VIP ICMP Reply : ENABLED-WHEN-ACTIVE
VIP State: INSERVICE
curr conns : 0 , hit count : 4
dropped conns : 0
client pkt count : 34 , client byte count: 4129
server pkt count : 9 , server byte count: 1928
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
Parameter-map(s):
HTTP_PARAM_MAP
class: class-default
Parameter-map(s):
TCP_PARAM_MAP
ACE-1/non-prod#
ACE-1/non-prod# sh service-policy ICMP_INSPECT_POLICY
Status : ACTIVE
-----------------------------------------
Interface: vlan 65
service-policy: ICMP_INSPECT_POLICY
class: ICMP_INSPECT_CLASS
inspect icmp:
icmp error: DISABLED
curr conns : 0 , hit count : 0
dropped conns : 0
client pkt count : 0 , client byte count: 0
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide