11-16-2010 08:51 AM - edited 03-06-2019 02:04 PM
Hello,
I have a traceroute that goes through an SVI that seems to (9 times out of 10) provide request time outs. No packet loss is seen for pings to the end device, but the traceroute shows losses...
traceroute 10.4.173.6:
1 <1ms <1ms <1ms 10.5.61.253
2 * * * Request timed out.
3 <1ms <1ms <1ms 10.4.112.243
4 <1ms <1ms <1ms 10.5.3.190
5 <1ms <1ms <1ms 10.4.173.6
Between hop 1 and 2 is a firewall who's next hop points to a 3750 switch (10.4.112.254) which is hop 2 and shows the 'drops'. Its config that the firewall points to is:
interface Vlan900
 description Firewall_Comms
 ip address 10.4.112.247 255.255.255.0
 no ip redirects
 standby 4 ip 10.4.112.254
 standby 4 priority 160
 standby 4 preempt
the 3750 only has a single route to 10.4.173.6:
PPFX_X37_274#sh ip ro 10.4.173.6
Routing entry for 10.4.173.0/24
  Known via "ospf 1", distance 110, metric 201, type inter area
  Last update from 10.4.112.243 on Vlan900, 2d00h ago
  Routing Descriptor Blocks:
  * 10.4.112.243, from 10.4.238.201, 2d00h ago, via Vlan900
      Route metric is 201, traffic share count is 1
this doesn't seem to cause any problems, but I'm curious as to why this shows time outs...
Any ideas?
Thanks
Phil
 
					
				
		
11-16-2010 09:22 AM
Phil,
The firewall is a security appliance and will not usually respond to a traceroute. This is to ensure that someone from the outside cannot find the address of the device and breech your network. This is disabled by default and if you want this to work you will need to enable it.
I hope this helps and please let us know if you have any further questions.
Kimberly
11-16-2010 09:22 AM
Check to make sure that your firewall is allowing traceroute. IF you have an ASA, make sure ICMP inspection is on. If you dont have an ASA. Make sure you are allowing the following,
access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any source-quench access-list 101 permit icmp any any unreachable access-list 101 permit icmp any any time-exceeded
11-17-2010 12:53 AM
The firewall is not blocking traceroutes and no access-lists are blocking ICMP on
the layer-3 switch.....
Sometimes the trace works, sometimes (most times) it doesn't....
thanks
Phil
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide