Cisco WAN :: IP SLA ICMP-Echo On 3750?
Jan 22, 2012
Have a very peculiar issue with IP SLA. Firstly, the architecture.
1) There are two sites - A & B. Both have their own internet connection.
2) Sites A & B are connected via MPLS.
3) Both sites have the below topology.
3750 CORE --> FIREWALL -->ROUTER ---> INTERNET
4) 3750 has a Default route pointing to firewall .
5) MPLS router is connected to 3750. A default information is originated via BGP to MPLS at each location. So that default route is learnt as a backup path from any location if it has to lose its local internet.
6) IP SLA has been configured at each location to track the default route using icmp-echo to hit a public IP (i.e 4.2.2.2 as an example).
Issue?ICMP probes from Site-A via its local internet fails abruptly. I can reach the public IP mentioned above from my firewall pretty fine, but not from my 3750. Whenever i remove the tracking from the static default route & push in the plain default route without tracking, it works fine. Again, if i add the tracking back, it will work fine for an hour or so & then fails back again. To my bad, Site-B had recently gone offline due to some natural calamity. So, there is no other path for internet.
My config looks pretty simple
track 10 ip sla 1 reachability
!
ip sla 1
icmp-echo 4.2.2.2 source-ip 10.1.254.1
frequency 180
ip sla schedule 1 life forever start-time now
ip sla enable reaction-alerts
!
ip route 0.0.0.0 0.0.0.0 10.1.254.1 track 10
I am running IOS version 12.2(53)SE2 (IPservices images).
View 3 Replies
ADVERTISEMENT
Apr 16, 2013
I have ASA 5510 with soft version 8.4(5) installed. There are two interfaces:
IP 1.1.1.1/24 - inside
IP 2.2.2.1/24 - outside
I have configured PAT, so network 1.1.1.0/24 gets NATted to 2.2.2.2 address. Everything works fine, except I can't reach 2.2.2.2 via ICMP from the internet.
X.X.X.X 2.2.2.2 Deny inbound icmp src OUTSIDE:X.X.X.X dst OUTSIDE:2.2.2.2 (type 8, code 0)
But I have configured an access list allowing ICMP from any to any: access-list outside_access_in extended permit icmp any any
Thus address 2.2.2.1, which is binded to outside interface itself, is perfectly reachable via ICMP.
I've got two questions:
1) Is there a way to fix it? It will be handy for diagnostic purposes.
2) is it possible to configure the secondary IP address on the interface on ASA? I've read, that there are some complications.
View 6 Replies
View Related
Jan 14, 2013
I'm having problem getting ICMP echo monitoring on outside interface to work. I've set: icmp permit host monitoring_station_adress outside but I still get:
%ASA-3-313001: Denied ICMP type=8, code=0 from monitoring_station_adress on interface outside. I'm trying to directly monitor ip on ASAs interface outside.
I have access-group tied to "in" direction on interface outside. Do I still have to put "permit icmp" rules despite the fact that icmp permit outside command is set?
View 4 Replies
View Related
Feb 7, 2013
How do I disable ICMP echo on ea4500 - I don't see anywhere either in Connect or directly on the router web interface that allows this.
View 1 Replies
View Related
Dec 13, 2011
In order to meet our requirements we had to configure PAT for TCP 80 on 2 external IP addresses to one internal IP in DMZ. TCP port 80 is being translated for both external IP addresses and it works as expected. However, since we have migrated to ASA both external IP addresses don't respond to ICMP echo requests generating following error:
%ASA-3-106014: Deny inbound icmp src outside:<Source IP> dst outside:<Destination IP> (type 8, code 0)
Previously we have been using Cisco router to achieve the same objective and it worked well.I have noticed that when I add "same-security-traffic permit intra-interface" to a configuration the message mentioned above stops appearing in a logs.
As far as I can tell ASA sends packet back through outside interface, despite the fact that appliance advertises its mac address in response to arp request for the same external IP address.Is there any way to make ASA realise that it should respond to ICMP echo requests on external IP addresses that have forwarding setup?
I do realise that ICMP would work in 1-to-1 NAT scenario, but we can't apply 1-to-1 NAT for 2 external IP addresses to point to one internal IP address.
View 11 Replies
View Related
Nov 24, 2012
I am experiencing inconsistent echo-replay from devices connected via VPC to Nexus 5500s while pinging from the Nexus exec prompt.
In some cases I receive normal response when pinging from one Nexus, but no response when pinging from the other switch. In other instance I receive normal response to one Nexus, and duplicate replays to the other. It looks like a VPC related bug. NXOS is 5.1.3.N2.1
5501# ping 10.12.12.232
PING 10.12.12.232 (10.12.12.232): 56 data bytes
64 bytes from 10.12.12.232: icmp_seq=0 ttl=253 time=8.585 ms
64 bytes from 10.12.12.232: icmp_seq=0 ttl=254 time=9.227 ms (DUP!)
64 bytes from 10.12.12.232: icmp_seq=1 ttl=253 time=1.011 ms
64 bytes from 10.12.12.232: icmp_seq=2 ttl=253 time=8.097 ms
64 bytes from 10.12.12.232: icmp_seq=2 ttl=254 time=9.429 ms (DUP!)
64 bytes from 10.12.12.232: icmp_seq=3 ttl=253 time=18.195 ms
64 bytes from 10.12.12.232: icmp_seq=4 ttl=253 time=8.807 ms(code)
View 5 Replies
View Related
Feb 13, 2012
Need to clarify if ip sla icmp echo operation is supported in catalyst 3kx switches (ip services)? on the configuration guide, commands are available, but on the feature navigator, i can't find the feature, only ip sla video operation. i don't have a device to test on here.
View 2 Replies
View Related
May 1, 2011
two 6509 chassis with VSS configuration.One of those chassis have one FWSM installed and the configuration is like this:
Switch: firewall multiple-vlan-interfacesfirewall switch 1 module 3 vlan-group 1firewall vlan-group 1 3-5,7,8,10,200 interface Vlan200 ip address 10.50.50.1 255.255.255.252end
I am not receiving icmp replays from the fswm interfaces if i try to ping 172.20.80.1 from 10.50.50.2.I do not see any debuging info in the logsI successfully ping 10.50.50.2 from the inside networks int the cat6500, but int the network 172.20.80.0, can not ping 10.50.50.2.
View 1 Replies
View Related
Feb 5, 2012
The below output has taken from Cisco 3750 switch which the CPU utilization is more than 80%. What is the meaning of this below information.
switch#debug platform CPU-queues icmp-q
debug platform CPU-queue icmp-q debugging is on
Feb 6 18:44:09.860: ICMP-Q:Dropped redirect disabled on L3 IF: Local Port Fwding L3If:Vlan41 L2If:GigabitEthernet1/0/8 DI:0xB4, LT:7, Vlan:41 SrcGPN:8, SrcGID:8, ACLLogIdx:0x0, MacDA:0019.aade.0d58, MacSA: b8ac.6f2a.2734 IP_SA:10.43.41.87 IP_DA:172.20.31.25 IP_Proto:6
TPFFD:ED580008_00290029_00B0009F-000000B4_90BD001F_6C6E1FC0
View 3 Replies
View Related
Apr 7, 2011
I have set up an ACL on my 3750 switch to deny icmp from PC A on our inside network to PC B on a different VLAN on our inside network using the following ACLs:
deny icmp host 10.1.17.15 host 10.3.10.4
deny icmp host 10.3.10.4 host 10.1.17.15
-- or --
deny icmp host 10.1.17.15 host 10.3.10.4 echo-replydeny icmp host 10.3.10.4 host 10.1.17.15 echo-reply
These ACLs belong to an access-list that also limits ip traffic to a few specific machines.When I try pinging from PC A I receive a reply message back from PC B. Shouldn't this configuration block any ICMP from PC A to PC B and from PC B to PC A? I would have expected the first ACL statement to block any packets associated with ICMP and when that didn't work I tried the second configuration.
View 6 Replies
View Related
Apr 29, 2013
Amazed I cannot find this in any documentation but I want to know the default aging timer for ICMP redirects on a 3750 switch running at layer 2.
View 10 Replies
View Related
Aug 25, 2012
I had setup a lan infrastructure with 5 3750 stack swithes. In these 3 of them are in one stack which is acting as access switch, 2 of them in another stack which is as core switch where all the SVI is configured. Now, when i tried to ping from our edge pc which is connected in access switch to default gaeway, which is configured in core switch, the ICMP is getting delayed . But when try to ping from the same edge pc to another user PC, it is getting less tahn 1 millisecond icmp replies.
why icmp is delaying to default gateway , but working with another edge to edge pcs without any delays?
View 1 Replies
View Related
Sep 10, 2012
i am facing a problem when the client vlan is commmunicating with the default gateway on the core 3750-x.
ios in 3750-x core is 3750e-universalk9-mz.150-2.SE.bin. But, client to client communication is happening without any dealy and icmp is less than 1 ms always.
When try to ping default gateway of client vlan, it is getting delayed (variable icmp delays). Is this an ios bug?
View 2 Replies
View Related
Jun 6, 2011
I have a router HUAWEI echo lifeH9520b Broadband wireless how do I find WPA security pass phrase?
View 2 Replies
View Related
Dec 3, 2012
I am having problems with these types of 3G cards(EHWIC-3G-HSPA+7) from Cisco.We are using them on ships where we have a SAT connection and the 3G connection. Fail over between the two connections are handled by an IP SLA echo and a track on the cellular interface, towards an public IP where we have configured a static route to via the Cellular interface.
Once configured the connection comes up fine, the VPN tunnels comes up and all is good.But after some time the connection dies, the track goes down because no data goes through.a sh cell 0/0/0 all however say that the profile is active.
View 1 Replies
View Related
Dec 4, 2011
I am working with a strange problem at the minute with HP's NIC Teaming with Transmision Load Balancing.We have a HP blade system the Server is connected to 2 cisco 3020's and then those 2 switches are connected to a 3750 Stack consisting of 2 Members.
Theres an LACP ether channel consisting of 4 Gigabit Ethernet Ports to each 3020 from the 3750 Stack.They both have exactly the same configuration and all ports are up and the channel looks healthy.
When setting the Preference order on the server if I set the NIC connected to the 1st Cisco 3020 as primary i.e. Tx/Rx then everything is fine.If I set the NIC Connected to the 2nd Cisco 3020 as primary then all seems fine i.e. I can ping it, it can access services outside its own vlan and the internet. It cannot however ping anything connected to the same subnet and VLAN on the 3750 Stack.
Doing a packet capture on a server connected to the VLAN on the 3750 stack I can see the Echo Requests coming in and the server sending an echo Reply but the echo reply never gets back to the server with the teamed NICs.
I did a Layer 2 traceroute and all looked fine, all the MAC Tables were good.I thought maybe it was a layer 2 loop causing the problems but I have checked and re-checked STP and can't find any problems. STP has picked up one intentional loop and blocked it.
I've raised a ticket with HP to see if they can point me in the right direction but I don't think it is a problem with there Drivers. It definately seems like a networking problem.
View 5 Replies
View Related
Jul 19, 2011
Is blocking echo request to prevent ping sweep the same as having a firewall in stealth mode? And how could someone ping sweep from outside if you had a firewall at all?
View 3 Replies
View Related
Jan 26, 2012
I cannot seem to ping between devices on two networks hanging off a 5520 unless I use the same-security interface command. I have the relevant ACL's set up between the interfaces, but it just doesnt work unless I have that command in - if I use that command, it bypasses the ACL.
Config
interface GigabitEthernet0/0.224
description NMS
vlan 224
nameif NMS
security-level 100
ip address 10.11.120.225 255.255.255.240[code].....
View 8 Replies
View Related
May 29, 2011
I want to know how to use ICMP protocol in sending a packet in a network ?
View 1 Replies
View Related
Jan 31, 2012
More and more recently I'm seeing that inspect ICMP and ICMP error do not allow trace route to work through the firewall from inside to outside.I used to go in, enable the inspections and subsequent trace route's worked. Now when this is enabled, the firewall still blocks return trace route.
View 4 Replies
View Related
Feb 27, 2011
I'm new to the Cisco WLCs and recently implemented a wireless infrastructure using a WLC 2100 with 1262 LWAPs. I have two of the 1262s plugged into ports 7/8 using crossover cables. They're functioning correctly with the exception of the inability SSH and send pings to the LWAPs behind the WLC. Is there anyway to ping/shh through the WLCs to the LWAPs behind it? I use an NMS (Nagios) to monitor the status of the LWAPs and it can't monitor them if it cannot ping them. Also, is there anyway to configure the WLC to monitor the status of LWAPs?
View 2 Replies
View Related
Sep 5, 2012
I am trying to set up the router (881) using Cisco Configuration Professional, to allow ping reply's..I can not for the life of me figure it out.
View 4 Replies
View Related
Sep 19, 2011
So I have my shiny new (used, but new to me) 5510 finally working and installed in my Dev network. I need to have icmp (ping and trace route) available from the inside network. I Google and found a few articles on how to do it. I tried modifying the class maps, but it looks like there are changes in the commands in 8.4 and the articles I found evidently were for 8.2 and lower. I tried doing it with access lists, again from examples and traffic stopped in all directions (not good) so I am back to being functional and how to do it in 8.4. Documentation seems sparse on the net with 8.4
View 4 Replies
View Related
Jun 6, 2012
I have router which has two physical interfaces Gi0/0 and Gi0/1. G0/0 connects to metro over ethernet and Gi0/1 is configured a s router on a stick, which has many defined. All those interfaces have IP addresses assigned. EIGRP is configured between other metro sites. Here is a sample IP assigment for this site, let's say Site.
View 3 Replies
View Related
Feb 28, 2011
We have downgraded cisco acs appliance 1120 from ACS 5.0 to ACS 4.2.1.15 , when we perform ICMP ping request to acs appliance its not responding , But i can do ping test from acs appliance on console mode not from GUI mode .
Is there any option to enable ICMP Ping response on cisco acs 1120 . else any patch to be upgraded to perform this action , my requirement is enable ICMP ping on acs appliance for troubleshooting . instead always check with telnet x.x.x.x 2002 for service responding
View 5 Replies
View Related
May 23, 2012
I'm having issues with NAT dropping ICMP on default NAT. Do I need to create another NAT for ICMP?
Here's the packet-tracer result:
firewall01# packet-tracer input inside icmp 172.23.1.74 0 10 8.8.8.8 detailed
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
[code]....
View 4 Replies
View Related
Mar 10, 2012
I've got a Cisco 1811 router with FastEthernet0 plugged into a cable modem with 5 static IP's. I want to disable the ability for those IP's to be pinged externally except for certain addresses that I specify (I have some offsite servers that I use to monitor the ISP link for example). I also want the ability to be able to ping external addresses from the router as well as any of my inside subnets. [code]
I've tried varying ACL's and applied to Fa0, none of which work [code]
View 3 Replies
View Related
Oct 29, 2011
I have a cisco 7600. It will send an icmp request every second. If the icmp response is not received, 3 consecutive icmp requests will be sent. SLA reachability down will be reported after all 4 icmp responses are not received. The following diagram illustrates my goal.
Sender --------------------------------------- 0 second -> 0 sec (1st icmp Request is sent out)-> 50ms (no response, send 2nd icmp after timeout)-> 50ms (no response, send 3rd icmp after timeout) -> 50ms (no response, send 4th icmp after timeout) 50ms Report SLA reachability down
--------------------------------------- 1 second
--------------------------------------- 2 second
Question: will the following configuration achieve my goal?
ip sla 100icmp-echo 10.32.24.1 source-ip 10.32.24.2timeout 50frequency 1
ip sla monitor reaction-configuration 100 react timeout threshold-type consecutive 3 action-type triggerOnly
View 1 Replies
View Related
Jul 17, 2012
I want to allow ICMP traffic on ASA 5510 from LAN interface to DMZ. I've permit any traffic and added ICMP to the inspestion list also but still there is problem. Belos is the configuration. The image is asa822-k8.bin
:
ASA Version 8.2(2)
!
hostname fw-01
names
!
interface Ethernet0/0
[code]....
View 1 Replies
View Related
Jun 27, 2012
Is it really the case that the ASA will not generate ICMP Host Unreachable messages for sub nets connected to any of its interfaces (in breach of RFC1812) as claimed here: [URL]
I'm investigating a situation where an organization uses ASAs to control traffic between different v lans in their internal production systems as well as Internet traffic. They are having problems with internal load balancing because the ASAs do not (as currently configured) generate Host Unreachable packets. Can this be changed in the configuration or not? I have to say, if it can't then I'd urge them to find something else to route between their internal sub nets.
View 5 Replies
View Related
Dec 21, 2010
I would like to passthrough ICMP 8 (ping) requests through the DIR-655 to my server. I found where to allow the router to respond to ICMP 8 requests, however, I do not want the router to responder, rather the server itself. Is there a way to pass these requests through to the server?
View 3 Replies
View Related
Apr 23, 2012
I'm connected to my remote access vpn and am getting the below error, wierd thing i only get this error for ICMP, i can browse data on our network retrieve files etc, but pings fail for some reason
NAT-T is enabled
NAT rules are in place
ICMP is not blocked as can ping elsewhere
Where to being looking as to why only ICMP fails?
View 2 Replies
View Related
Nov 24, 2011
We have some ME3800MX router/switches running ME380x-UNIVERSALK9-M), Version 12.2(52)EY2. The Cisco website says:
The switch does not support these Cisco IOS router ACL-related features: # •Non-IP protocol ACLs (see Table 26-1) or bridge-group ACLs
how we would match ICMP traffic then?
View 4 Replies
View Related
