[c-nsp] Weird traceroutes through Firewall Services Module (FWSM)

Sam Stickland sam_mailinglists at spacething.org
Tue May 16 08:28:35 EDT 2006


Hi,

We have some weirdness with the FWSM blades and traceroutes. If you try to
trace through an FWSM blade then from the moment it hits the FWSM all the
hopes appear to be the final one:

For example:

# traceroute 10.20.232.20
traceroute to 10.20.232.20 (10.20.232.20), 30 hops max, 38 byte packets
 1  10.20.1.254   1.807 ms  2.932 ms  0.279 ms
 2  10.20.255.21  0.387 ms  0.232 ms  0.303 ms
 3  10.20.232.20  0.628 ms  0.624 ms  0.638 ms
 4  10.20.232.20  1.038 ms  0.718 ms  0.653 ms

Hop 3 is actually the FWSM blade. If there were more hops behind the blade
they would all show up as 10.20.232.20. The FWSM blade is NAT translating,
but why would it not show up in the traceroute? Surely it's outside facing
interface would return the ICMP TTL Exceeded?

We can see that it doesn't manually:

# ping -t2 10.20.232.20
PING 10.20.232.20 (10.20.232.20) 56(84) bytes of data.
>From 10.20.255.21 icmp_seq=0 Time to live exceeded
>From 10.20.255.21 icmp_seq=1 Time to live exceeded

# ping -t3 10.20.232.20
PING 10.20.232.20 (10.20.232.20) 56(84) bytes of data.
>From 10.20.232.20 icmp_seq=0 Time to live exceeded
>From 10.20.232.20 icmp_seq=1 Time to live exceeded

# ping -t4 10.20.232.20
PING 10.20.232.20 (10.20.232.20) 56(84) bytes of data.
64 bytes from 10.20.232.20: icmp_seq=0 ttl=252 time=0.685 ms
64 bytes from 10.20.232.20: icmp_seq=1 ttl=252 time=0.781 ms

This strikes me as odd. Fixup protocol icmp has no effect here.

Any ideas?

Sam



More information about the cisco-nsp mailing list