Guest

Preview Tool

Cisco Bug: CSCun79728 - Anyconnect rewrites ICMP errors interfering with TCP traceroute

Last Modified

Nov 06, 2018

Products (1)

  • Cisco AnyConnect Secure Mobility Client

Known Affected Releases

3.1(4074)

Description (partial)

Symptom:
This prevents examining the TCP path through a network, which in many environments is different from the UDP path (e.g., transparent TCP proxies, TCP filtering, TCP routing differs from UDP routing).

Conditions:
Examination using TCPDUMP of the ICMP errors returned shows the ICMP "Time To Live Exceeded" errors have a source address of the destination (74.125.25.103) -- but they should have a source address of the router that generated the ICMP error.  TCPDUMP shows:

$ sudo tcpdump -i 2 -vv icmp
tcpdump: listening on utun0, link-type NULL (BSD loopback), capture size 65535 bytes
12:41:03.469642 IP (tos 0xc0, ttl 255, id 4789, offset 0, flags [none], proto ICMP (1), length 56)
    pc-in-f147.1e100.net > sjc-vpn7-622.cisco.com: ICMP time exceeded in-transit, length 36
	IP (tos 0x0, ttl 1, id 39695, offset 0, flags [none], proto TCP (6), length 40)
    sjc-vpn7-622.cisco.com.54762 > pc-in-f147.1e100.net.http: [|tcp]
12:41:03.502365 IP (tos 0xc0, ttl 255, id 4794, offset 0, flags [none], proto ICMP (1), length 56)
    pc-in-f147.1e100.net > sjc-vpn7-622.cisco.com: ICMP time exceeded in-transit, length 36
	IP (tos 0x0, ttl 1, id 26392, offset 0, flags [none], proto TCP (6), length 40)
    sjc-vpn7-622.cisco.com.54762 > pc-in-f147.1e100.net.http: [|tcp]
...

UDP trace route looks normal.

Note: On OS X 10.8.5 and 10.9.2, "traceroute -P tcp" does not seem to function at all.  So this test was done using Homebrew's tcptraceroute.  With the AnyConnect tunnel down, homebew's tcptraceroute works as expected.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.