Debug and ACL

Warren · ‎01-24-2019

I am trying to verify that my traffic is hitting the correct interface and going out but the output doesn't seem right to me.

Source: 10.97.10.32

Destination 52.49.24.30

ip route 52.49.24.30 255.255.255.255 89.202.127.77

access-list 199 permit ip host 10.97.10.32 host 52.49.24.30 log-input
access-list 199 permit ip host 52.49.24.30 host 10.97.10.32 log-input

debug ip packet 199 detail

term mon

once I do this and attempt a telnet from source to destination I see this

SW-FRCL-NTCORE1#pak 16816E3C consumed in input feature , packet consumed, MCI Check(63), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
SW-FRCL-NTCORE1#pak 16833210 consumed in input feature , packet consumed, MCI Check(63), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
SW-FRCL-NTCORE1#pak 167F6DA8 consumed in input feature , packet consumed, MCI Check(63), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
SW-FRCL-NTCORE1#pak 167D5A18 consumed in input feature , packet consumed, MCI Check(63), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

does this mean it is going out the correct interface? this is on a cisco switch

Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-ENTSERVICESK9-M), Version 12.2(54)SG1, RELEASE SOFTWARE (fc1)

thank you in advance!!!!

Francesco Molino · ‎01-24-2019

Hi

Just to make sure you can get all information on your debug in order to see what is the outgoing interface, make sure you disabled fast switching/CEF and re-run a debug ip packet detail ACL.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Warren · ‎01-24-2019

Hi Francesco

I don't have CEF or fast switching configured, I have quick question just want to make sure I am not going

crazy. What I am trying to do is have my server take a particular route out the internet I need it to go as follows

server 10.97.10.32 => Core1 => NTCore1 => provider switch =internet 52.49.24.30

so I have static routes as follows

Core1

ip route 52.49.24.30/32 10.98.1.12 <- Interface on NTCore1

NTCore1

ip route 52.49.24.30 255.255.255.255 89.202.127.77<- interface on provider switch

so for static routes there is nothing special with them all you have to do is point it to the correct next hop right? When I do a traceroute from the server the last hop I see is the

NTCore1 interface 10.98.1.12

I just want to make sure I am not missing anything before I go tell the provider it is something on their end

bash-4.2$ traceroute 52.49.24.30
traceroute to 52.49.24.30 (52.49.24.30), 30 hops max, 60 byte packets
1 sw-frcl-core1.network.na.bluefirecap.net (10.97.10.254) 0.114 ms 0.124 ms 0.128 ms
2 10.98.1.12 (10.98.1.12) 513.833 ms 513.833 ms 513.829 ms
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *

Francesco Molino · ‎01-24-2019

Are you able to point the SP router interface 89.202.127.77?

Can you re-run your traceroute with option -I?

I believe you have some nat before reaching your SP router? Have you checked everything is ok on this side.

Make sure your packet is able to reach your service provider router.
Where did you run your debug? On NTcore (last device managed by you before forwarding the packet to your SP)

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Warren · ‎01-24-2019

There is no NAT my IP enters the providers network via the ethernet hand off that is why I am thinking

it is on their side but wanted to get a second opinion from someone smarter than me I tried to do the

debug on NTCore1 which is the last device before it hits the provider but didn't see anything. I set up my debug as follows

access-list 199 permit ip host 10.97.10.32 host 52.49.24.30 log-input
access-list 199 permit ip host 52.49.24.30 host 10.97.10.32 log-input

debug ip packet 199 detail

term mon

but all i get is

SW-FRCL-NTCORE1#pak 16ADF474 consumed in input feature , packet consumed, MCI Check(63), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
SW-FRCL-NTCORE1#pak 16B7AB68 consumed in input feature , packet consumed, MCI Check(63), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
SW-FRCL-NTCORE1#pak 16B5B26C consumed in input feature , packet consumed, MCI Check(63), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
SW-FRCL-NTCORE1#pak 16B8D75C consumed in input feature , packet consumed, MCI Check(63), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Francesco Molino · ‎01-24-2019

Log-input are not necessary here.
If you do sh ip cef, you see nothing right as you said cef was disabled.

Anyways, have you tried pinging from your server your SP ip interface (ip of next hop static route you configured).
Does it answer your icmp packets?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Warren · ‎01-24-2019

Yes it does

sv-frcl-crypto1 wgranada]# ping 89.202.127.77
PING 89.202.127.77 (89.202.127.77) 56(84) bytes of data.
64 bytes from 89.202.127.77: icmp_seq=1 ttl=45 time=205 ms
64 bytes from 89.202.127.77: icmp_seq=2 ttl=45 time=204 ms
64 bytes from 89.202.127.77: icmp_seq=3 ttl=45 time=206 ms
64 bytes from 89.202.127.77: icmp_seq=4 ttl=45 time=204 ms
64 bytes from 89.202.127.77: icmp_seq=5 ttl=45 time=204 ms

.77 is there end and .78 is my end
64 bytes from 89.202.127.77: icmp_seq=6 ttl=45 time=204 ms
64 bytes from 89.202.127.77: icmp_seq=7 ttl=45 time=204 ms

Warren · ‎01-24-2019

is it safe to say the issue is on there side?