No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Ping Fails Because of ICMP Automatic Protection on an S3300

Publication Date:  2013-01-07 Views:  26 Downloads:  0
Issue Description

Topology: NE40E------CISCO7609------S3300-------Internet café or leased-line PC

The devices are connected through Layer 3 interfaces. The user gateway is the S3300.

Version: S3300 V100R002C02B181SPC001 (the newly released universal version)

Symptom: The internal PC cannot ping the external PC, but the online services are running properly.

 

Handling Process

The leased-line PC can ping the other PCs that are directly connected to the leased-line PC. The problem does not lie in the leased-line PC. Check the configurations on all participating devices. There are no configurations that prevent ICMP packets from being transmitted. Perform segment-by segment ping test and find that the NE40E and CISCO7609 can forward the ICMP packets normally. The ICMP packets that pass through the S3300 are discarded. However, no ACL or traffic policy is configured on the S3300.

Run the display acl resource command and find that the S3300 automatically delivers two ACLs.

The S3300 running V100R002C02B181SPC001 supports ICMP automatic protection. By default, ICMP automatic protection is enabled. If a GE interface receives more than 20 ICMP packets that are sent to the CPU each second or an FE interface receives more than 10 ICMP packets that are sent to the CPU, the SS3300 automatically delivers ACLs to its interfaces to forbid the ICMP packets to pass. (Note: Only the ICMP packets sent to the CPU of the S3300 can trigger automatic protection. The ICMP packets forwarded through another switch cannot trigger automatic protection. However, after an ACL is delivered to the interface, all ICMP packets that traverse this interface are affected.)

Based on the analysis of the captured packets, some ICMP packets from outside network are sent to the S3300 with the destination address the S3300's own address. As a result, the upstream interface on the S3300 delivers an ACL to forbid the ICMP packets from the outside network.

After ICMP automatic protection is disabled using the undo icmp rate-limit enable command, the ping operation is performed successfully.

Root Cause

configuration is wrong.

Solution

Use the undo icmp rate-limit enable command to disable ICMP automatic protection, and the ping operation is performed successfully.

Suggestions
By default, ICMP automatic protection is enabled on the S3300, which may cause the ping operation to fail. However, the online services can run properly. If the ping operation is not performed frequently, you are advised not to disable ICMP automatic protection on an S3300. If the ping operation must be performed, run the undo icmp rate-limit enable command to disable ICMP automatic protection on the S3300 or use the icmp rate-limit command to change the default threshold.

END