cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
227
Views
0
Helpful
2
Replies
Highlighted
Beginner

Traceroute result shows different result that packet-tracer - FTD

Hi,

I would like to know if someone can help me understand why a traceroute command seems to be leaving the FTD device but packet-tracer is showing traffic as dropped. 192.169.111.165 is my SD-WAN interface and 192.169.111.162 is the next hop IP.

 

ftd1# packet-tracer input SD-WAN icmp 192.169.111.165 8 0 192.168.1.181

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.169.111.162 using egress ifc SD-WAN

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: SD-WAN
input-status: up
input-line-status: up
output-interface: SD-WAN
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

ftd1# traceroute 192.168.1.181

Type escape sequence to abort.
Tracing the route to 192.168.1.181

1 192.169.111.162 1 msec 1 msec 1 msec
2 187.190.66.44 2 msec 3 msec 3 msec
3 * * *

 

ftd1# traceroute 192.168.1.181 source SD-WAN

Type escape sequence to abort.
Tracing the route to 192.168.1.181

1 192.169.111.162 1 msec 1 msec 1 msec
2 187.190.66.44 2 msec 2 msec 2 msec
3 * *

2 REPLIES 2
Highlighted
Collaborator

Hi,

 

   With packet-tracer you're simulating an ICMP packet passing or not, while with traceroute you're generating UDP packets, so the two flows don't are not identical, thus based on your configuration one may be allowed, the other one dropped.

 

Regards,

Cristian Matei.

Highlighted

Thanks for the reply Cristian. Do you or anyone know how I can run the packet tracer to simulate the traffic show in the trace command? I set the packet-tracer parameters to same ports and protocol I saw on a packet capture the result is the same. If i change input to LAN it works using ICMP and UDP.

> packet-tracer input SD-WAN udp 192.169.111.165 49203 192.168.1.181 33437

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.169.111.162 using egress ifc SD-WAN

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: SD-WAN
input-status: up
input-line-status: up
output-interface: SD-WAN
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule