Using the S/N/K-Series Router Debug Packet Filter to resolve Ping Issue

  • 0
  • 1
  • Article
  • Updated 4 years ago
  • (Edited)
Article ID: 14495 

S-Series, all firmware
Matrix N-Series DFE, firmware and higher
K-Series, all firmware 

This is an additional use of the router "Debug IP/Packet" feature, furthering what is explained in 14661

In the case of a user not being able to ping a (S/N/K-Series) switch yet being able to ping through it to end stations on the other side, the debug packet filter command may be used to determine where and why the pings are dropped by the local switch-host. 

Given that the non-replying switch-host's IP address is, create an access-list that which is then used to apply a filter to the debug ip packet process to look for this specific address only.
S3(su-router-config)->ip access-list extended vlan1326
S3(su-router-cfg-ext-acl-vlan1326)->permit icmp any host
S3(su-router-cfg-ext-acl-vlan1326)->permit icmp host any

S3(su-router-config)->debug packet control limit 30
S3(su-router-config)->set logging here enable
S3(su-router-config)->debug packet filter access-list vlan1326

S3(su-router-config)-><165>Feb 25 19:52:06 DbgIpPkt[1][1]
[SEND] Rule hit[2: permit icmp host any] out intf 2090, PKT:
InPort(ge.1.7) LEN(78) DA(00:1F:45:A1:3D:CB) SA(00:11:88:E5:F1:E0)
TAG(8100:452E) ETYPE(0800) SIP( DIP( VER(4) HLEN(5)
TOTALLEN(56) PROTO(1) TOS(192) TTL(30) ICMP(3:1) , *** FATE: Forwarding,, out port ge.1.47, flow allowed
<165>Feb 25 19:53:17 HostDoS[1] Attack ( icmpFlood ) detected
on vlan.0.1326 [ InPort(ge.1.7) LEN(106) DA(00:1F:45:A1:3D:CB)
SA(00:11:88:E5:F1:E0) TAG(8100:452E) ETYPE(0800) SIP(
ICMP(8:0) ]
In this case we can see that the HostDos icmpFlood mechanism is what dropped the packet.
Therefore, disabling HostDoS icmpFlood (or setting its rate to some non-zero value) will resolve the issue.
(Note that with firmware 7.91.01.xxxx and higher, the default hostDoS rate settings for icmpFlood and synFlood are 4294967294 rather than zero.) 

After reaching a conclusion, the test configuration may be removed.
debug packet stop
S3(su-router-config)->set logging here disable
S3(su-router-config)->no ip access-list extended vlan1326
Also see this HowTo Video which demonstrates use of the "Debug IP/Packet" feature.
Photo of FAQ User

FAQ User, Official Rep

  • 13,590 Points 10k badge 2x thumb

Posted 4 years ago

  • 0
  • 1

There are no replies.

This conversation is no longer open for comments or replies.