Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
413
Views
0
Helpful
1
Replies

Missing 'debug ip packet detail' output even with 'no ip route-cache'

zkhoja
Level 1
Level 1

‎01-12-2005 02:13 PM - edited ‎03-02-2019 09:02 PM

I'm trying to trace an issue we are having with clients in a remote office getting responses back from a server in headquarters with udp source port 88.

I decided to write an IP extended access list (2001) with the following lines and use it for a 'debug ip packet detail' on the _remote_ router...

permit upd any eq 88 any

However, I did not get any output lines even after I turned off fast switching on both the LAN (fa0/0) and WAN (s1/0) interfaces.

So to make sure that the packets were getting to the remote router in the first place I put an inbound access-list on the WAN (s1/0) interface with the following lines...

permit udp any eq 88 any

permit ip any any

... this access list allows all traffic to come in but it will also give me hit counts on packets when I do a 'show access-list'.

Based on the show access-list output I was able to determine that there were packets coming into the remote router's WAN interface sourced from UDP 88.

Next, to make sure it was forwarding those packets on to clients on the remote router's LAN interface i wrote another access list (outbound this time) with the following lines and configured it on fa0/0...

permit udp host MY_LAN_IP eq 88 any

permit udp host MY_WAN_IP eq 88 any

permit udp any eq 88 any

permit ip any any

...sure enough, there were tons of outbound packets going out of fa0/0 that were sourced from udp port 88 and were not generated locally by the router.

So as far as I can tell, packets are coming in that are sourced from headquarters on udp 88 and are destined to clients behind the remote router, and those packets are then getting sent out of the LAN interface on the remote router to get at the clients, but the 'debug ip packet detail' output for that access-list shows absolutely nothing, and the 'show access-list' command indicates 0 hits for that entry on the access list. Even after I turned off fast switching on both the WAN and LAN interfaces using 'no ip route-cache' I got no output and no hits.

Any idea on what I might have missed?

Labels:
0 Helpful
1 Reply 1

Richard Burts
Hall of Fame
Hall of Fame

‎01-13-2005 07:41 AM

Had you done terminal monitor so that your session would get copies of log messages?

Is it possible that there was a keystroke error in creating the access list used for debugging and the list did not actually have what you intended?

Your approach to demonstrating that there is traffic passing through the router that meets your criteria was very good. Perhaps you could run your test again, clear the counters in the access lists, capture the output of show access list for the access list you will use for debugging, capture the output of the session where you start debugging and the output of show access list for your interface access lists (after the test has run for a little while but there is not any output for debug).

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card