Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
614
Views
0
Helpful
2
Replies

Traceroute result shows different result that packet-tracer - FTD

ernesto_tello
Level 1
Level 1

‎03-16-2020 04:37 PM

Hi,

I would like to know if someone can help me understand why a traceroute command seems to be leaving the FTD device but packet-tracer is showing traffic as dropped. 192.169.111.165 is my SD-WAN interface and 192.169.111.162 is the next hop IP.

 

ftd1# packet-tracer input SD-WAN icmp 192.169.111.165 8 0 192.168.1.181

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.169.111.162 using egress ifc SD-WAN

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: SD-WAN
input-status: up
input-line-status: up
output-interface: SD-WAN
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

ftd1# traceroute 192.168.1.181

Type escape sequence to abort.
Tracing the route to 192.168.1.181

1 192.169.111.162 1 msec 1 msec 1 msec
2 187.190.66.44 2 msec 3 msec 3 msec
3 * * *

 

ftd1# traceroute 192.168.1.181 source SD-WAN

Type escape sequence to abort.
Tracing the route to 192.168.1.181

1 192.169.111.162 1 msec 1 msec 1 msec
2 187.190.66.44 2 msec 2 msec 2 msec
3 * *

Labels:
0 Helpful
2 Replies 2

Cristian Matei
VIP Alumni
VIP Alumni

‎03-17-2020 08:05 AM

Hi,

 

   With packet-tracer you're simulating an ICMP packet passing or not, while with traceroute you're generating UDP packets, so the two flows don't are not identical, thus based on your configuration one may be allowed, the other one dropped.

 

Regards,

Cristian Matei.

0 Helpful

ernesto_tello
Level 1
Level 1
In response to Cristian Matei

‎03-17-2020 09:45 AM

Thanks for the reply Cristian. Do you or anyone know how I can run the packet tracer to simulate the traffic show in the trace command? I set the packet-tracer parameters to same ports and protocol I saw on a packet capture the result is the same. If i change input to LAN it works using ICMP and UDP.

> packet-tracer input SD-WAN udp 192.169.111.165 49203 192.168.1.181 33437

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.169.111.162 using egress ifc SD-WAN

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: SD-WAN
input-status: up
input-line-status: up
output-interface: SD-WAN
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card