Cisco Challenge 9/5/2012: ICMP Fun!

Your topology is as follows--

R1

R3

All is at their defaults except all interfaces are "no shut" with IPs assigned, static routing has been correctly configured to achieve full connectivity, and "logging console debug" is enabled.

1. On R1's console, you enable "debug ip icmp" and then "ping 3.3.3.3" (r3's address). You do not see any outgoing ICMP messages. Why?

2. On R1's console, you enable "debug ip icmp" and then "traceroute 3.3.3.3" (r3's address). You do not see any outgoing ICMP messages. Why?

3. On R2's console, you enable "debug ip icmp". On R1's console you "ping 3.3.3.3" (r3's address). You do not see any ICMP messages on R2's console. Why?

Find more posts tagged with

Comments

vinbuck

Nice one...i'm digging. I had some initial thoughts but disproved them before I could even get them typed.

NetworkVeteran

A thread yesterday got me thinking about all of the protocol's little quirks, and that a misunderstanding of them, can complicate your debugging process.

fluk3d

Comment removed... spoke to soon without thinking

networker050184

I'd assume it has to do with the processing of the messages. An incoming packet shows as the CPU processes the packet, but outgoing packets are generated and sent on their way without CPU processing in the same way.

vinbuck

@networker050184

That's what I first thought, but it seems like he is looking for something specific to the ICMP protocol, whereas if the CPU or if CEF/hardware processes a packet seems more in line with overall packet flow for all protocols.

MrBrian

Good one, we need more mind games like this everyday! As for the question, I know ICMP pretty well, but don't really ever use the "debug ip icmp" very often so not familiar with its output. Maybe I'll lab a little lol

kalebksp

Particularly curious since outgoing IPv6 echo requests are logged with "ipv6 icmp debug".

DPG

It has something to do with the ping command itself. It isn't part of IOS. I can't really figure out how to explain this.

Also, +1 for this post. It is a nice change from the usual blog-spam.

Zartanasaurus

NetworkVeteran wrote: »

Your topology is as follows--

R1
R2
R3

All is at their defaults except all interfaces are "no shut" with IPs assigned, static routing has been correctly configured to achieve full connectivity, and "logging console debug" is enabled.

1. On R1's console, you enable "debug ip icmp" and then "ping 3.3.3.3" (r3's address). You do not see any outgoing ICMP messages. Why?

2. On R1's console, you enable "debug ip icmp" and then "traceroute 3.3.3.3" (r3's address). You do not see any outgoing ICMP messages. Why?

3. On R2's console, you enable "debug ip icmp". On R1's console you "ping 3.3.3.3" (r3's address). You do not see any ICMP messages on R2's console. Why?

2) You wouldn't see anything with debug ip icmp outgoing since a UDP packet is sent for traceroute, not ICMP (as opposed to Windows which sends ICMP for tracert).

I don't have any real educated guesses on #1 and #3. I thought #3 was because of CEF/fast-switching, but even disabling it doesn't show the transit ICMP traffic. It will show up under debug ip packet though. It must be some quirk in how debug ip icmp is programmed. I'm guessing it was designed to only show ICMP traffic destined for the router and if you want to see all of the traffic, you use debug ip packet.

ETA: A quick google search reveals the answer to #1 and #3. Interesting. I was close.

NetworkVeteran

Good answers and effort everyone.

1. "debug ip icmp" doesn't show echo (type 8 ICMP messages, which is the outgoing message type when you run the IOS ping command. To observe these, you may run "debug ip packet detail" combined with an extended ACL that matches the ICMP protocol. "debug ip icmp" shows most other message types--echo-reply, time-exceeded, redirect, unreachable, etc.

2. The IOS traceroute command relies on incoming ICMP time-exceeded messages, but what it actually sends in the outbound direction are UDP messages. This has bitten me when I believed I was classifying outbound traceroute traffic with an ACL matching ICMP.

3. "debug ip icmp" and "debug ip packet" only show process-switched packets! To see transit packets on R2, disable CEF (no ip cef) and Fast Switching (no ip route-cache). Note: These operations are not recommended unless the implications in terms of feature-support (mpls, qos, etc.) are understood and the device load is low enough to permit this.

MickQ

Great stuff to know. Keep this up!