Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3331
Views
4
Helpful
2
Replies

How to test ICMP time-exceeded

johnlloyd_13
Level 9
Level 9

‎10-29-2012 06:39 PM - edited ‎03-04-2019 06:00 PM

hi all,

i had a client request to block ICMP request on their 1841 WAN link. i've got ACL hits for ACE 170 but not for 171.

can someone advise how to test or simulate for ICMP time-exceeded? is this TTL related and is there a DOS command or any way to produce ping packet with a less TTL count that would hit the ACL log? below is the config.

thanks in advance!

interface FastEthernet0/0

ip address 202.42.x.y 255.255.255.252

ip access-group IDS_Fastethernet0/0_in_0 in

ip access-list extended IDS_Fastethernet0/0_in_0

<SNIP>

170 deny icmp any any echo log (11189 matches)

171 deny icmp any any time-exceeded log   <<<

----

PC>ping 202.42.x.y

Pinging 202.42.x.y with 32 bytes of data:

Reply from 202.42.x.y: Destination net unreachable.

Reply from 202.42.x.y: Destination net unreachable.

Reply from 202.42.x.y: Destination net unreachable.

Reply from 202.42.x.y: Destination net unreachable.

Ping statistics for 202.42.x.y:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

Labels:
0 Helpful
2 Replies 2

cadet alain
VIP Alumni
VIP Alumni

‎10-30-2012 12:44 AM

Hi,

on Windows: use the -i parameter to select the TTL in the ping command

eg ping -i 2 8.8.8.8

Réponse de ********* : Durée de vie TTL expirée lors du transit.

Réponse de ********* : Durée de vie TTL expirée lors du transit.

Réponse de ********** : Durée de vie TTL expirée lors du transit.

Réponse de ********** : Durée de vie TTL expirée lors du transit.

sorry for the french output but this is all I have at my disposal here.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

johnlloyd_13
Level 9
Level 9
In response to cadet alain

‎10-30-2012 02:25 AM

hi alain,

thanks for your input. however, i wasn't able to hit any log for ACL 171.

prior to this test, i've observed ACL 171 got hits and wondered how could i replicate it.

170 deny icmp any any echo log (13441 matches)

171 deny icmp any any time-exceeded log (18254 matches)  

180 permit ip any any (82617205 matches)

i've tried testing using TTL values between 5-10 but unfortunately got no hits. any further ideas?

>ping 202.42.x.y -i 8

Pinging 202.42..x.y with 32 bytes of data:

Reply from 192.169.32.182: TTL expired in transit.

Reply from 192.169.32.182: TTL expired in transit.

Reply from 192.169.32.182: TTL expired in transit.

Reply from 192.169.32.182: TTL expired in transit.

Ping statistics for 202.42.x.y:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

>ping 202.42.x.y -i 9

Pinging 202.42.x.y with 32 bytes of data:

Reply from 202.42.x.y: Destination net unreachable.

Reply from 202.42.x.y: Destination net unreachable.

Reply from 202.42.x.y: Destination net unreachable.

Reply from 202.42.x.y: Destination net unreachable.

Ping statistics for 202.42.x.y:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

----

#clear ip access-list counter IDS_Fastethernet0/0_in_0

170 deny icmp any any echo log (20 matches)

171 deny icmp any any time-exceeded log

180 permit ip any any (11596 matches)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card