Archive

Posts Tagged ‘troubleshoot’

Extended Ping – why use it?

March 1st, 2011 No comments

Typically, when you ping a host, the device will use the closest interface to the destination eg SERIAL 0/1. The problem, however, you need to test an IPSEC tunnel that’s linked to another interface on that device. Let’s assume my LAN interface on my Cisco router is 172.16.1.1. I need to test whether my IPSEC POINT-to-POINT tunnel will generate and pass traffic. Without access to a PC at that location is where extended ping comes in. With extended ping, it’s possible to initiate interesting traffic from a particular interface to cause an event remotely. It’s simple at an enabled prompt example below:

    Assumptions:
  • Each device is already configured with a POINT-to-POINT tunnel.
  • Access-lists are in place to allow our network (172.16.1.0/24) to access (10.45.4.0/24)

    •  

    gateway-rtr#
    gateway-rtr#ping
    Protocol [ip]:
    Target IP address: 10.45.4.101
    Repeat count [5]:
    Datagram size [100]:
    Timeout in seconds [2]:
    Extended commands [n]: y
    Source address or interface: 172.16.1.1
    Type of service [0]:
    Set DF bit in IP header? [no]:
    Validate reply data? [no]:
    Data pattern [0xABCD]:
    Loose, Strict, Record, Timestamp, Verbose[none]:
    Sweep range of sizes [n]:
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 10.45.4.101, timeout is 2 seconds:
    Packet sent with a source address of 172.16.1.1
    .!!!!
    Success rate is 80 percent (4/5), round-trip min/avg/max = 32/33/36 ms
    gateway-rtr#

    Notice the first ping failed. This is due to the time it took to bring up the IPSEC tunnel. As confirmation, you’ll notice where the ping packet was sent from.

    Categories: Firewalls, Network Tags: , , , , ,