SVI is not responding to traceroute with TTL expired

ashvanth kumar · ‎01-10-2013

I have router where the SVI interfaces are not responding with TTL expired. This includes null 0 as well.

cadet alain · ‎01-10-2013

Hi,

can you explain further please.

Regards.

Alain

Don't forget to rate helpful posts.

ashvanth kumar · ‎01-10-2013

assume a scenario where i have three routers A ->B->C. OSPF is running in all the routers and all P-P interfaces are part of area 0. C's SVI interface has the IP segment 10.241.3.1/24(this is a part of area 3). C is summarising(area range command ) this as 10.241.0.0/16 and advertising. In this case when i do a trace from router A to the destination 10.241.3.1(active interface in router C) the trace gets dropped at router C. Whereas when i do a trace to a non active IP 10.241.54.1 from A it gets dropped at router B.

If the same is done replacing router C. In the 1st case where i trace 10.241.3.1 the trace gets completed at router C(in previous case it comes till here after which i get * * *). In the 2nd case where i trace 10.241.54.1 its comes till router C and gets dropped(in previous case it drops at router B).

paul driver · ‎01-10-2013

ashvanth

OSPF is running in all the routers and all P-P interfaces are part of area 0
C's SVI interface has the IP segment 10.241.3.1/24(this is a part of area 3

Can you post your config for the 3 routers?

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

ashvanth kumar · ‎01-10-2013

Sorry Im not allowed to share the complete configuration. Hope the below configurations help. Since rotuer 2 is PE I dont have its configuration

ROUTER 3:

!

interface Vlan4

ip address 10.241.3.1 255.255.255.0

no ip unreachables

no ip proxy-arp

end

router ospf 1

nsf

area 3 nssa no-summary

area 3 range 10.241.0.0 255.255.0.0

network 10.241.3.0 0.0.0.255 area 3

network 117.211.128.128 0.0.0.3 area 0

!

interface GigabitEthernet3/1

ip address 117.211.128.129 255.255.255.252

no ip unreachables

no ip proxy-arp

ip ospf network point-to-point

ip ospf mtu-ignore

speed 100

duplex full

end

ROUTER 1:

router ospf 1

nsf

network 117.212.128.128 0.0.0.3 area 0

interface GigabitEthernet3/1

ip address 117.212.128.129 255.255.255.252

no ip unreachables

no ip proxy-arp

ip ospf network point-to-point

ip ospf mtu-ignore

speed 100

duplex full

end

Neuromancer · ‎01-11-2013

Traceroutes aren't working because you've disable ICMP unreachables via the "no ip unreachables" interface commands.

Manouchehr Omari · ‎01-11-2013

You have disabled ICMP unreachable, here is little information to help you understand ICMP unreachable.

This table is from IANA and shows the various types:

3 Destination Unreachable [RFC792]

Codes:

0 Net Unreachable [RFC792]
1 Host Unreachable [RFC792]
2 Protocol Unreachable [RFC792]
3 Port Unreachable [RFC792]
4 Fragmentation Needed and Don't [RFC792]
Fragment was Set [RFC792]
5 Source Route Failed [RFC792]
6 Destination Network Unknown [RFC1122]
7 Destination Host Unknown [RFC1122]
8 Source Host Isolated [RFC1122]
9 Communication with Destination [RFC1122]
Network is Administratively Prohibited
10 Communication with Destination Host is [RFC1122]
Administratively Prohibited
11 Destination Network Unreachable for Type [RFC1122]
of Service
12 Destination Host Unreachable for Type of [RFC1122]
Service
13 Communication Administratively Prohibited [RFC1812]
14 Host Precedence Violation [RFC1812]
15 Precedence cutoff in effect [RFC1812]

As you can see the Fragmentation Needed but Do Not Fragment is one of those. So yes PMTUD will be impacted when you configure no unreachables.

Also since the Cisco/Unix traceroute is based on sending UDP packets and looking for the Port Unreachable message to indicate that the probe has reached the destination, then disabling unreachables will break the traceroute.

From a security standpoint when you harden a device you want to minimize the amount of information that the device provides about itself to others and disabling unreachables helps achieve this. But from the standpoint of things that help our network work better the unreachable is helpful.

So you have two different points of view and their position on unreachables. So which is more important hardening devices with reducing information that they provide or helping the network to run better?

Best Regards,

Manouchehr

ashvanth kumar · ‎01-16-2013

But if you see trace to 10.241.3.1 gets completed. Only trace to non existing segments in the 10.241.0.0/16 range get dropped.

Peter Paluch · ‎01-16-2013

Hello,

Can you post the exact outputs of the traceroute command? The verbal description of "what gets dropped where" is not very precise - the outputs will be hopefully more definitive.

Best regards,

Peter

ashvanth kumar · ‎01-17-2013

A#traceroute 10.241.3.1

Type escape sequence to abort.

Tracing the route to 10.241.3.1

1 117.212.128.130 4 msec 0 msec 4 msec

2 117.211.128.129 0 msec 4 msec 0 msec

3 * * *

----------------------------------------------------------------------

A#traceroute 10.241.6.1

Type escape sequence to abort.

Tracing the route to 10.241.6.1

1 117.212.128.130 4 msec 0 msec 0 msec

2 *

-------------------------------------------------------------