?
Solved

question in UDP ping from Cisco Switch and Router

Posted on 2011-10-31
21
Medium Priority
?
1,821 Views
Last Modified: 2012-05-12
I am trying to perfrom a UDP traceroute  from my network to a 208.x.y.x  ( port 48129)
I have my core Switch and my router connected to the core switch and my router is directly connected to the 208 network. I can ping the 208 network and can also traceroute. The issue is when i am trying to ping or traceroute UDP port 48129.
I dont have any firewall .
The traceroute failes at my Switch.
On the fa0/0 int of my router i have an access list  ( permin ip any any)  and applied to the fa0/0 of my router ( internal Interface) as in.
I have also applied the same ACL on the fa0/1 int of my router as out.
Still , traceroute failes at the core switch. From core switch doesnt make it to the router.

1. I dont think i need any ACL because by default everything ( all traffic) should be allowed right ? Since i dont have any other ACL in place.
2. What else can i try in order for the traceroute to make it to my router ?

Any input would be appreciated.

0
Comment
Question by:c_hockland
  • 12
  • 6
  • 3
21 Comments
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 37058302
Hi,

How can you generated UDP traceroute, tracreute use icmp packets
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 37058305
please show the router config..
0
 

Author Comment

by:c_hockland
ID: 37058322
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R1!
aaa new-model
enable secret 5 $1$CTiV$xCdlSeS3EFuf3xEqDjfve.
!
username root password 0 yyyy
clock timezone GMT 0
ip subnet-zero
no ip source-route
!
!
no ip domain-lookup
ip domain-name a.com
ip name-server 172.20.3.21
!
partition flash 2 16 16
!
!
!
!
interface FastEthernet0/0
 ip address 172.16.14.240 255.255.255.0
 ip access-group 100 in
 duplex auto
 speed auto
!
interface Serial0/0
 no ip address
 shutdown
!
interface FastEthernet0/1
 ip address 10.201.128.20 255.255.255.0
 ip access-group 120 in
 no keepalive
 speed 100
 full-duplex
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.201.128.21
no ip http server
!
access-list 100 permit udp 172.16.14.0 0.0.0.255 208.134.161.0 0.0.0.255 range 48129 48137
access-list 100 permit tcp 172.16.14.0 0.0.0.255 208.134.161.0 0.0.0.255 range 8194 8198
access-list 100 permit tcp 172.16.14.0 0.0.0.255 208.134.161.0 0.0.0.255 range 8209 8220
access-list 100 permit tcp 172.16.14.0 0.0.0.255 208.134.161.0 0.0.0.255 range 8290 8294
access-list 100 permit ip any any
access-list 120 permit ip any any
!
line con 0
 exec-timeout 35700 0
 logging synchronous
line aux 0
line vty 0 4
 exec-timeout 35700 0
 logging synchronous
 transport input pad v120 telnet rlogin udptn
line vty 5 15
 exec-timeout 35700 0
 logging synchronous
 transport input pad v120 telnet rlogin udptn
!
end
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:c_hockland
ID: 37058331
i am doing a traceroute on udp port using the software that the vendor has provided. using this software my users will be connecting to his network.
0
 

Author Comment

by:c_hockland
ID: 37058339
this is the regular traceroute

Tracing route to 208.134.161.43
 1  <10 ms  <10 ms   15 ms  <10 ms  [172.16.14.1]
 2  <10 ms  <10 ms  <10 ms  <10 ms  [10.201.128.21]
 3  <10 ms   16 ms  <10 ms  <10 ms  [133.0.74.93]
 4   47 ms   47 ms   62 ms   47 ms  [172.25.85.177]
 5   47 ms   47 ms   47 ms   46 ms  [172.24.65.181]
 6   47 ms   47 ms   47 ms   63 ms  [172.22.160.69]
 7   62 ms   47 ms   47 ms   47 ms  [172.22.222.10]
 8   62 ms   47 ms   47 ms   47 ms  [172.22.110.3]
 9   47 ms   46 ms   46 ms   46 ms  [208.134.161.43]
Trace complete.



this is the UDP traceroute

UDP traceroute host: 208.134.161.43, port: 48129
 1   16 ms  <10 ms  <10 ms  <10 ms  [172.16.14.1]
 2  <10 ms  <10 ms  <10 ms  <10 ms  [172.16.14.1]
 3  <10 ms  <10 ms  <10 ms  <10 ms  [172.16.14.1]
 4  <10 ms  <10 ms  <10 ms  <10 ms  [172.16.14.1]
 5  <10 ms  <10 ms  <10 ms  <10 ms  [172.16.14.1]
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 37059640
What are the devices with IP address 172.16.14.1 and 10.201.128.21?
0
 

Author Comment

by:c_hockland
ID: 37059776
14.1 is my core switch. This is where it dies.  
128.21 is the other network that i amtrying to ping.

0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 37060021
>14.1 is my core switch. This is where it dies.  

Then THAT is the config we need to see.

>128.21 is the other network that i amtrying to ping.

Not according to you previous post: "UDP traceroute host: 208.134.161.43, port: 48129"
0
 

Author Comment

by:c_hockland
ID: 37062535
I got Cisco involved on this one...After 5 hrs on the phone and doing packet tracing they determined they need to collect all logs and all packet tracing files and will get back with me today ..hopefully with a solution.
I will let you all know.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 37062607
If you post the config of the 14.1 device, that would help.
0
 

Author Comment

by:c_hockland
ID: 37062815
ok give me a few and i will post it.
0
 

Author Comment

by:c_hockland
ID: 37062842
Current configuration : 25411 bytes
!
! Last configuration change at 22:45:15 GMT Mon Oct 31 2011 by nick.laoutaris
! NVRAM config last updated at 21:25:21 GMT Mon Oct 24 2011 by christian.diaz
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname sw01
!
boot-start-marker
boot-end-marker
!

!

aaa new-model

interface Vlan114
 description --- Client A ---
 ip address 172.16.14.1 255.255.255.0
 ip helper-address 172.16.3.25
 ip directed-broadcast


router eigrp 100
 passive-interface Vlan102
 passive-interface Vlan103
 passive-interface Vlan104
 passive-interface Vlan105
 passive-interface Vlan106
 passive-interface Vlan107
 passive-interface Vlan108
 passive-interface Vlan109
 passive-interface Vlan110
 passive-interface Vlan111
 passive-interface Vlan112
 passive-interface Vlan113
 passive-interface Vlan114
 passive-interface Vlan115
 passive-interface Vlan121
 no auto-summary
 network 172.16.0.0


!
router eigrp 100
 passive-interface Vlan102
 passive-interface Vlan103
 passive-interface Vlan104
 passive-interface Vlan105
 passive-interface Vlan106
 passive-interface Vlan107
 passive-interface Vlan108
 passive-interface Vlan109
 passive-interface Vlan110
 passive-interface Vlan111
 passive-interface Vlan112
 passive-interface Vlan113
 passive-interface Vlan114
 passive-interface Vlan115
 passive-interface Vlan121
 no auto-summary
 network 172.16.0.0
!
ip classless
ip forward-protocol udp 48129
ip route 0.0.0.0 0.0.0.0 172.16.1.10 name ---->PIX_Internal_Int
ip route 10.201.128.0 255.255.255.0 172.16.14.240
ip route 69.184.0.0 255.255.0.0 172.16.14.240
ip route 69.191.192.0 255.255.192.0 172.16.14.240
ip route 160.43.250.0 255.255.255.0 172.16.14.240
ip route 199.105.176.0 255.255.255.0 172.16.14.240
ip route 199.105.184.0 255.255.255.0 172.16.14.240
ip route 205.183.246.0 255.255.255.0 172.16.14.240
ip route 205.216.112.0 255.255.255.0 172.16.14.240
ip route 206.156.53.0 255.255.255.0 172.16.14.240
ip route 208.22.56.0 255.255.255.0 172.16.14.240
ip route 208.22.57.0 255.255.255.0 172.16.14.240
ip route 208.134.161.0 255.255.255.0 172.16.14.240
no ip http server
no ip http secure-serve


!        
line con 0
line vty 0 4
 exec-timeout 35777 0
 logging synchronous
 login authentication SecureShell
 transport input ssh
line vty 5 15
 exec-timeout 35777 0
 logging synchronous
 login authentication SecureShell
 transport input ssh
!        
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 37062895
Sigh...

The packet is getting dropped at the 172.16.14.1 device. If we can't see the config of that device, there is no way to troubleshoot the problem. Showing the config of one interface is of little help.
0
 

Author Comment

by:c_hockland
ID: 37062909
the config i just posted is the swtich 172.16.14.1 :-)
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 2000 total points
ID: 37062983
The config you just posted has only one layer 3 interface.  In troubleshooting a problem, tracing the flow of the traffic through network devices is an important step.

The successful traceroute you posted has the packet entering the 172.16.14.1 device. The packet had to leave somehow. In this case, out the interface with an IP address of 10.201.128.21.

0
 

Author Comment

by:c_hockland
ID: 37063016
172.16.14.1 is my core switch
10.201.128.20 is the fa0/1 of my router
10.201.128.21 is the fa0/0 if the vendor's router

so when i do ping or traceroute i can get to the vendor's network
BUT , the application we are using must get to the other network using UDP ports and when i use the small "tester utility" to send an traceroute on UDP port  48130 it gets stuck on my core switch..

UDP traceroute host: 208.134.161.11, port: 48130
 1  <10 ms  <10 ms  <10 ms  <10 ms  [172.16.14.1]
 2  <10 ms  <10 ms  <10 ms  <10 ms  [172.16.14.1]
 3  <10 ms  <10 ms  <10 ms  <10 ms  [172.16.14.1]
 4  <10 ms  <10 ms  <10 ms   16 ms  [172.16.14.1]
 5  <10 ms  <10 ms  <10 ms  <10 ms  [172.16.14.1]
0
 

Author Comment

by:c_hockland
ID: 37063023
i also added access lists on my router " permin ip any any" but it did not solve the issue.
0
 

Author Comment

by:c_hockland
ID: 37063029
this is a regular traceroute

Tracing route to 208.134.161.11
 1  <10 ms  <10 ms  <10 ms  <10 ms  [172.16.14.1]
 2       *  <10 ms  <10 ms  <10 ms  [10.201.128.21]
 3  <10 ms  <10 ms   16 ms  <10 ms  [133.0.74.93]
 4   47 ms   46 ms   47 ms   47 ms  [172.25.85.177]
 5   47 ms   47 ms   47 ms   47 ms  [172.24.65.181]
 6   47 ms   46 ms   47 ms   47 ms  [172.22.160.65]
 7   47 ms   47 ms   47 ms   47 ms  [208.134.161.3]
 8   45 ms   45 ms   45 ms   45 ms  [208.134.161.11]
Trace complete.
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 37063059
what shows the acl is the packet reach the router?

'sh access-list' tells matching
0
 

Author Comment

by:c_hockland
ID: 37063093
thats on my router....i havent applied these ACL on any interface.

#sh ip access-lists
Extended IP access list 100
    permit udp 172.16.14.0 0.0.0.255 208.134.161.0 0.0.0.255 range 48129 48137
    permit tcp 172.16.14.0 0.0.0.255 208.134.161.0 0.0.0.255 range 8194 8198
    permit tcp 172.16.14.0 0.0.0.255 208.134.161.0 0.0.0.255 range 8209 8220
    permit tcp 172.16.14.0 0.0.0.255 208.134.161.0 0.0.0.255 range 8290 8294
    permit ip any any (85875 matches)
Extended IP access list 120
    permit ip any any (1707592 matches)
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 37066253
It's getting stuck on the 172.16.14.1 device. Without seeing the config of that device, there's nothing we can do other than wildly speculate.
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question