Troubleshooting Cheat Sheets

ICMP is a message service for networking devices. It works in the background supplying information related to network connectivity, but it is also used under the hood in diagnostic utilities. You might already be familiar with echo and echo-reply messages. These are ICMP packets sent and received with a ping.

ping 10.1.1.1
!!!!!          

Life is good. We have connectivity. This returned five ICMP echo-replies.

When a ping fails, ICMP gives you a hint about the cause. But as a troubleshooter, if you don’t know how to interpret that message, all you know is that the ping failed and you’re not sure what to check next.

 

The cheat sheets provided here of ICMP messages generated from pings, traceroutes, Telnet, and SSH, will help you to narrow the cause of your problem with cat-like quickness.

 

 

PING CHEAT SHEET
U.U.U  =    No route or ACL is blocking
…..       =    Have route, but unable to connect to host. Timed out.

 

ping 10.1.1.1
U.U.U

Each U stands for Unreachable. But what’s up with the dots? Why not a U five times? It’s because IPv4 rate limits ICMP messages. You only are allowed one ICMP message every 500 milliseconds by default, so the dots between each U is it timing out. IPv6 doesn’t rate limit these messages, so with an unreachable IPv6 ping, you would see UUUUU.

Here’s what you can try first when you get the U.U.U message. Ping another device (one you know that exists) on the same subnet: 10.1.1.2, for example. If your ping to 10.1.1.2 returns !!!!!, then you know that it is definitely not a routing problem because you are successfully getting to the 10.1.1.0 network. Looking at the cheat sheet, it must be an access list blocking the traffic for 10.1.1.1.

If your second ping also returned U.U.U, check the routing tables along the way. If routing checks out, start looking for ACLs along the path blocking your traffic.

 

TELNET/SSH CHEAT SHEET
% Destination unreachable; gateway or host down = No route or ACL is blocking
% Connection refused by remote host = Service not running on destination device
Password required, but none set = No Telnet or SSH credentials configured

 

There’s that word again: Unreachable. Even though this is an error message you see with Telnet or SSH, it’s STILL an ICMP Unreachable message and it STILL means either no route or an ACL is blocking the traffic. To track it down, it’s the same as Unreachable pings. Check your routing, check for ACLs.

Connection refused sounds like the service is running but you’re just not allowed to access it. However, what it really means is that the service is not open on the destination device. For example, if you forgot to configure SSH on a router and attempted to SSH to it anyway, you would get a Connection Refused message.

Or maybe SSH is enabled, but no credentials have been configured. In this case, you would see Password required, but none set.

 

TRACEROUTE CHEAT SHEET
* * *   =   Connection timed out
!A       =   Administratively prohibited

 


There are a couple of reasons you see ***.  It’s possible that the ICMP messages that normally tell you each router you are passing through have been blocked in an attempt to give hackers less information about your network. It could also be due to going through an MPLS cloud. MPLS doesn’t route the same way to forward packets. It performs label switching instead.When traceroute returns:

!A it means that it is administratively prohibited. In other words, there is an ACL blocking the traffic. The nice thing is, it will also indicate the IP address of the router that sent this message. Therefore, you know exactly where the ACL is. You have the address of the router doing the blocking. Go there and fix it.

Comments