cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ASR - Troubleshooting using Packet Tracer

1784
Views
10
Helpful
0
Comments

[toc:faq]

Documentation

This configuration example is meant to be  interpreted with the aid of the official documentation from the  configuration guide located here:

Prerequisite

The ASR must be running minimum XE 3.10 code to be able to use this feature.

Topology

ASR-packet tracer.jpg

Scenario

Let us say that the PC at 14.36.109.13 is unable to telnet to 172.18.124.1.  How can one troubleshoot this problem using packet tracer tool what steps are needed to configure it and capture the data.

Steps

Using packet trace is very straightforward. All you need to do is:

  1. Enable packet-trace

  2. Decide which kind of packets you want to trace and where to trace them

  3. Start collection

  4. View packet and then stop collection

Enable Packet-trace

Always required to operate packet trace. Providing this command means that matching packets will be accounted.

kusankar-ASR1002#debug platform packet-trace enable

Please remember to turn on 'debug platform condition start' for packet-trace to work

Defining What To Trace

The command will match any packets coming in interface g0/0/0

kusankar-ASR1002#debug platform condition interface g0/0/0 ingress

This command will match any IPv4 packets coming in interface g0/0/3 with a src or dst IP 172.18.124.1.

kusankar-ASR1002#debug platform condition interface g0/0/0 ipv4 14.36.109.13/32 ingress

Specity How Many Packets to Collect

This command will collect 128 packets that matches what we defined to trace in the above step.

kusankar-ASR1002#deb platform packet-trace packet 128

Start Collection

Start the packet collection with the following command.  Send the test traffic or try the telnet that fails then, stop the data collection.

kusankar-ASR1002#debug platform condition start

Stop Collection

There is no reason to stop the collection in order to see the packets that are collected in the buffer.

kusankar-ASR1002#debug platform condition stop

How to see the packets captured

Once you find out what is being dropped we can focus on that particular packet to get more details.  In this case packet 17,20 and 28 are dropped due to firewall policy. Let us see if this is the telnet packet from 14.36.109.13 destined to 172.18.124.1.

kusankar-ASR1002#sh platform packet-trace sum | i DROP

Pkt   Input                 Output           State            Reason

17    Gi0/0/0          Gi0/0/3          DROP   183 (FirewallPolicy)

20    Gi0/0/0          Gi0/0/3          DROP   183 (FirewallPolicy)

28    Gi0/0/0          Gi0/0/3          DROP   183 (FirewallPolicy)

This command below will give more detail about packet no: 17. Clearly the feature ZBFW is dropping the packet. Notice the input interface, output interface, source IP, destination IP, protocol and port.

kusankar-ASR1002#sh platform packet-trace packet 17

Packet: 17          CBUG ID: 3019

Summary

  Input     : GigabitEthernet0/0/0

  Output    : GigabitEthernet0/0/3

  State     : DROP 183 (FirewallPolicy)

  Timestamp

    Start   : 15071588347061

    Stop    : 15071588471841

Path Trace

  Feature: IPV4

    Source      : 14.36.109.13

    Destination : 172.18.124.1

    Protocol    : 6 (TCP)

      SrcPort : 52273

      DstPort : 23

  Feature: ZBFW

    Action  : Drop

    Reason  : Policy drop due to classification result


Now examining the ZBF config closely the relevant config is as follows: Clearly tcp traffic is not allowed from the inside host 14.36.109.13

interface GigabitEthernet0/0/0

ip address 14.36.109.114 255.255.0.0

ip nat inside

zone-member security INSIDE

negotiation auto

end

!

interface GigabitEthernet0/0/3

ip address 172.18.124.41 255.255.255.0

ip nat outside

zone-member security OUTSIDE

negotiation auto

end

!

zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE

service-policy type inspect INSIDE-pm

zone-pair security OUTSIDE-INSIDE source OUTSIDE destination INSIDE

service-policy type inspect OUTSIDE-pm

zone-member security INSIDE

zone-member security OUTSIDE

!

policy-map type inspect INSIDE-pm

class type inspect in-out-class

  inspect

class class-default

!

class-map type inspect match-any in-out-class

match protocol udp

match protocol icmp

match protocol ftp 

<====> Only udp icmp and ftp traffic is allowed.  No tcp traffic is allowed and that is the reason telnet is breaking.

!

end