Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
356
Views
0
Helpful
2
Replies

Cannot trace to hosts on ISR's using FW feature set

Go to solution
Elijah Conn
Level 1
Level 1

‎02-14-2014 10:58 AM

The issue is that we can trace between networking equipment on tunnels involving the ISR routers using Firewall feature set, but we cannot trace to hosts. For example from (US)AS1, I can trace to (UK)CS1's 192.168.1.2 ip address, but not to host that I find in the arp table for that vlan. I have added ICMP TTL exceeded and TTL time-outs to the ACL's, but it still does not work.  Any helf would be greatly appreciated

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hunt-j
Level 1
Level 1

‎02-18-2014 10:44 AM

Elijay, You stated that you are using ISR's. Are you perhaps running inspection? If so, you may want to check your ICMP rules for router-traffic and timeouts. You may want to increase the timeout setting.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
hunt-j
Level 1
Level 1

‎02-18-2014 10:44 AM

Elijay, You stated that you are using ISR's. Are you perhaps running inspection? If so, you may want to check your ICMP rules for router-traffic and timeouts. You may want to increase the timeout setting.

0 Helpful

Go to solution
Elijah Conn
Level 1
Level 1
In response to hunt-j

‎02-18-2014 11:07 AM

We were able to fix the traceroute problem by increasing the inspection timeout value to 20:

ip inspect name insp-outbound icmp timeout 20

thanks hunt-j

0 Helpful
Customers Also Viewed These Support Documents