Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
584
Views
0
Helpful
4
Replies

Pix 7.0 and traceroute failing intermediate hops

jlangford
Level 1
Level 1

‎10-02-2005 06:52 PM - edited ‎02-21-2020 12:26 AM

We upgraded our PIXs to 7.0(2) and now cannot see intermediate hops with a traceroute to outside. As a work around I enabled inpect icmp error. This resolved the traceroute but stopped PMTU working (we need PMTU for sessions going via a VPN) so I had to remove it.

I have the following icmp access enabled:

permit icmp any any time-exceeded

permit icmp any any unreachable

permit icmp any any echo-reply

I can see the time exceededs being sent back but the PIX stops them:

ICMP: time exceeded (time to live) sent to x.x.x.x (dest was x.x.x.x)

Any one else seen this, or have any ideas?

0 Helpful
4 Replies 4

gfullage
Cisco Employee
Cisco Employee

‎10-02-2005 08:49 PM

In 7.0 you need the "inspect icmp error" command in the global service-policy for traceroutes to work. This should not be breaking PMTUD though, so we need to look at that further.

Did you get any icmp debugs off the PIX when PMTUD was not working? Can you use the capture command in the PIX on both the interfaces that the traffic traverses to see if the packets are getting dropped?

I see you opened case 602164577 on this that mentions only VPN traffic is affected, but there's no VPN configured on your PIX, so can you explain a bit about the setup you have here? Did you remove the access-list on the interface (the one that allows ICMP Unreachables) after configuring the "inspect icmp error"? What if you leave the access-list in place, in addition to the inspect icmp, do both PMTUD and traceroute then work?

0 Helpful

jlangford
Level 1
Level 1
In response to gfullage

‎10-03-2005 04:57 AM

The VPN is not terminated on the PIX but via a seperate VPN device (Cisco VPN router).

I did not remove the access list. I left booth the inpect icmp error and access lists in place and the PMTU stopped working.

0 Helpful

jlangford
Level 1
Level 1
In response to jlangford

‎10-03-2005 07:20 AM

I have captured the icmp debugs which show a difference in the way the ICMP unreachables are NAT'd with the inspect icmp error enabled:

Note: I have changed the IP addresses

inspect error icmp error enabled:

Pix inside:

10.90.200.7 > 10.90.100.97: icmp: 10.10.2.102 unreachable - need to frag (mtu 1400)

Pix outside

10.90.100.168 > 10.90.100.97: icmp: 10.10.2.102 unreachable - need to frag (mtu 1400)

where

10.90.200.7= VPN router

10.90.100.168 = PAT address in PIX

10.90.100.97 = Server

no inspect icmp error - session works

Pix inside:

10.90.200.7 > 10.90.100.97: icmp: 10.10.2.102 unreachable - need to frag (mtu 1400)

Pix outside

10.90.200.7 > 10.90.100.97: icmp: 10.10.2.102 unreachable - need to frag (mtu 1400)

where

10.90.200.7= VPN router

10.90.100.97 = Server

0 Helpful

jlangford
Level 1
Level 1
In response to jlangford

‎10-03-2005 07:48 AM

I have a workaround by excluding the VPN router to Host IP addresses in the NAT list.

This does not appera correct that I have to do this?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card