Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
974
Views
20
Helpful
8
Replies

trace route to ISE interface

Go to solution
benbroadfoot
Level 1
Level 1

‎01-30-2023 02:37 PM

Hi there,

I am attempting to do a trace route from a switch to an interface I have on a my ISE server however it is getting blocked. Does ISE (v2.6.0.156) have some sort of firewall that could be blocking the trace attempt?

 

Thanks!

1 Accepted Solution

Accepted Solutions

Go to solution
Marcelo Morais
VIP
VIP
In response to benbroadfoot

‎01-31-2023 05:44 AM - edited ‎01-31-2023 05:46 AM

Hi @benbroadfoot ,

 the iptables looks fine !!!

 Please try the following two options:

1. If you have another ISE Node, try to traceroute from Node 2 to Node 1:

iseNode2/admin# traceroute <IP Addr of iseNode1>
traceroute to <IP Addr of iseNode1> (<IP Addr of iseNode1>), 30 hops max, 60 byte packets
1 <IP Addr of iseNode1> 0.469 ms 0.450 ms 0.449 ms

 

2. try to traceroute from your PC to Node 1 (using the following command) to check if the packet arrives at Node 1:

iseNode1/admin# tech dumptcp 0 | inc ICMP

10:35:05.130657 IP (tos 0x48, ttl 1, id 61535, offset 0, flags [none], proto ICMP (1), length 92)
<your PC IP Addr> > <IP Addr oof iseNode1>: ICMP echo request, id 1, seq 255, length 72

 

Hope this helps !!!

View solution in original post

8 Replies 8

Go to solution
MHM Cisco World
VIP
VIP

‎01-30-2023 03:59 PM

first try ping,
are ping success ?

0 Helpful

Go to solution
benbroadfoot
Level 1
Level 1
In response to MHM Cisco World

‎01-30-2023 04:19 PM

yes it pings fine, just stops on tracert - see png

Preview file
89 KB
0 Helpful

Go to solution
Marcelo Morais
VIP
VIP

‎01-30-2023 05:43 PM

Hi @benbroadfoot ,

 about " ... have some sort of firewall that could be blocking the trace attempt... " ... at CLI, use the following command and search for iptables:

ise/admin# show tech-support
...
*****************************************
Running iptables -nvL...
*****************************************
...

Note: I'm able to traceroute an ISE on version 2.7.

Hope this helps !!

Go to solution
benbroadfoot
Level 1
Level 1

‎01-30-2023 08:02 PM

Thanks for the info @Marcelo Morais!

I have attached a screen shot of the start of the iptables section of the tech-support - what am I looking for exactly?

Preview file
381 KB
0 Helpful

Go to solution
Marcelo Morais
VIP
VIP
In response to benbroadfoot

‎01-31-2023 05:44 AM - edited ‎01-31-2023 05:46 AM

Hi @benbroadfoot ,

 the iptables looks fine !!!

 Please try the following two options:

1. If you have another ISE Node, try to traceroute from Node 2 to Node 1:

iseNode2/admin# traceroute <IP Addr of iseNode1>
traceroute to <IP Addr of iseNode1> (<IP Addr of iseNode1>), 30 hops max, 60 byte packets
1 <IP Addr of iseNode1> 0.469 ms 0.450 ms 0.449 ms

 

2. try to traceroute from your PC to Node 1 (using the following command) to check if the packet arrives at Node 1:

iseNode1/admin# tech dumptcp 0 | inc ICMP

10:35:05.130657 IP (tos 0x48, ttl 1, id 61535, offset 0, flags [none], proto ICMP (1), length 92)
<your PC IP Addr> > <IP Addr oof iseNode1>: ICMP echo request, id 1, seq 255, length 72

 

Hope this helps !!!

Go to solution
benbroadfoot
Level 1
Level 1
In response to Marcelo Morais

‎01-31-2023 01:31 PM

Thanks @Marcelo Morais not sure why I didn't try this initially! I AM able to tracert to the ISE interface from a PC so I'm guessing the issue isn't with ISE at all. Strange it will not allow me from a switch but will allow me from a PC?

Thanks again for your tips!

0 Helpful

Go to solution
Marcelo Morais
VIP
VIP
In response to benbroadfoot

‎01-31-2023 06:27 PM

@benbroadfoot , glad to be of help !!!

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎01-31-2023 07:00 AM

friend use traceroute with source IP
source IP is the IP you add to ISE for router/SW

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents