traceroute [ip]
Traces the route packets take from the Cisco ASA to a destination IP address, helping diagnose network path issues.
Overview
The traceroute command on Cisco ASA Firewall is a network diagnostic tool used to trace the path that IP packets take from the ASA to a specified destination IP address. It operates by sending packets with progressively increasing Time-To-Live (TTL) values, causing each router along the path to decrement the TTL and, when it reaches zero, send back an ICMP Time Exceeded message (Type 11, Code 0). The ASA records the source IP of these messages to identify each hop. This command is essential for troubleshooting connectivity issues, identifying routing loops, asymmetric routing, or points of high latency. On the ASA platform, traceroute uses UDP packets to high-numbered ports (33434-33534) by default, unlike Cisco IOS routers which use ICMP echo requests. This difference is important because some firewalls may block UDP or ICMP, affecting results. The ASA also supports an ICMP-based traceroute via the 'traceroute icmp' command (though not shown here). Traceroute fits into troubleshooting workflows after ping confirms reachability issues; it helps pinpoint where packets are dropped or delayed. It is commonly used when users report slow application performance or intermittent connectivity to external hosts. The command is available in Privileged EXEC mode and requires no special configuration. Output can be captured for analysis or compared with baseline measurements. Understanding how to interpret the output is critical for network engineers to quickly isolate faults in complex network topologies.
traceroute [ip]When to Use This Command
- Verify connectivity and path to a remote host across a firewall.
- Identify where packet loss or high latency occurs in the network.
- Troubleshoot asymmetric routing or routing loops.
- Confirm that traffic is being forwarded through expected next-hop devices.
Parameters
| Parameter | Syntax | Description |
|---|---|---|
| ip | A.B.C.D | The destination IP address to trace. Must be a valid IPv4 address. The ASA will send probes to this address and display the path. |
Command Examples
Basic traceroute to an external host
traceroute 8.8.8.8traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 40 byte packets 1 10.0.0.1 (10.0.0.1) 1.234 ms 1.123 ms 1.098 ms 2 192.168.1.1 (192.168.1.1) 2.345 ms 2.234 ms 2.123 ms 3 203.0.113.1 (203.0.113.1) 5.678 ms 5.567 ms 5.456 ms 4 8.8.8.8 (8.8.8.8) 10.123 ms 10.012 ms 9.901 ms
Each line shows a hop (router) along the path. The first column is the hop number, followed by IP address and hostname (if resolved). The three time values are round-trip times for three probes. The destination is reached in 4 hops.
Traceroute with timeout at a hop
traceroute 10.10.10.1traceroute to 10.10.10.1 (10.10.10.1), 30 hops max, 40 byte packets 1 10.0.0.1 (10.0.0.1) 1.000 ms 0.900 ms 1.100 ms 2 * * * 3 * * * 4 10.10.10.1 (10.10.10.1) 20.000 ms 19.900 ms 20.100 ms
Asterisks indicate no response from hop 2 and 3, possibly due to firewall filtering ICMP or a routing issue. The destination is still reachable, but the path may have a silent hop.
Understanding the Output
The traceroute output displays each hop along the path to the destination. The first line shows the destination IP, maximum hops (default 30), and packet size (40 bytes). Each subsequent line represents a hop: hop number, IP address (and hostname if reverse DNS resolves), and three round-trip times in milliseconds for three probes. If a probe times out, an asterisk (*) is shown. A healthy path shows consistent low latency (e.g., <10 ms for LAN, <100 ms for WAN) and no asterisks. Problem indicators include high latency (spikes), timeouts (asterisks), or sudden jumps in latency suggesting congestion or routing issues. The command stops when the destination responds or after 30 hops. On ASA, traceroute uses UDP probes by default (unlike IOS which uses ICMP), but the output format is similar.
Configuration Scenarios
Troubleshooting connectivity to a remote server
A user reports inability to reach a web server at 203.0.113.10. Ping from ASA succeeds but application times out.
Topology
[ASA] --- [ISP Router] --- [Internet] --- [Web Server 203.0.113.10]Steps
- 1.Enter Privileged EXEC mode: enable
- 2.Run traceroute to the server: traceroute 203.0.113.10
- 3.Analyze output for high latency or timeouts.
! No configuration needed; command is run in exec mode.
Verify: Observe each hop's latency. If a hop shows asterisks, that router may be blocking ICMP. If latency spikes at a hop, investigate that link.
Watch out: The ASA may not receive ICMP Time Exceeded if intermediate routers filter ICMP, causing asterisks even if path is fine.
Troubleshooting with This Command
When using traceroute on Cisco ASA for troubleshooting, start by verifying basic connectivity with ping. If ping fails, traceroute can show where packets stop. Common issues include: 1) Asterisks at a hop: This could mean the router does not send ICMP Time Exceeded (common on firewalls), or the packet is dropped. Check if the hop is a firewall that blocks ICMP. 2) High latency at a hop: Indicates congestion or a slow link. Compare with baseline. 3) Incomplete path: If traceroute stops before destination, the last responding hop may be dropping packets. Check routing and ACLs on that device. 4) Asymmetric routing: Traceroute shows different paths for forward and reverse traffic; this is normal but can cause issues if firewalls expect symmetric flows. On ASA, note that the default UDP traceroute may be blocked by some networks; you can try 'traceroute icmp' if available. Also, the ASA itself may not respond to traceroute from outside due to default ICMP inspection policy. To allow responses, configure 'icmp permit any echo-reply outside' or similar. Always run traceroute from multiple sources to isolate issues. Use 'show route' to verify routing table on ASA. If traceroute shows a loop (same IP repeated), there is a routing loop. In summary, traceroute is a powerful tool when combined with ping and route verification.
CCNA Exam Tips
Remember that ASA traceroute uses UDP by default, not ICMP like IOS.
Know that asterisks may indicate a firewall blocking ICMP time-exceeded messages, not necessarily a broken path.
Be able to interpret latency values: consistent low ms is healthy; high or variable ms suggests congestion or poor link.
Common Mistakes
Assuming asterisks always mean a broken path; they can be due to ICMP filtering.
Forgetting that the ASA may not respond to traceroute from outside due to default ICMP inspection.
Confusing traceroute with ping; traceroute shows path, ping only reachability.
Platform Notes
On Cisco ASA, the traceroute command differs from Cisco IOS in several ways. ASA uses UDP probes by default (destination port 33434+), while IOS uses ICMP echo requests. This means that on ASA, the command 'traceroute' sends UDP packets, and the response is ICMP Time Exceeded from intermediate routers. Some networks may block UDP or ICMP, affecting results. ASA also supports 'traceroute icmp' to use ICMP echo requests like IOS. The output format is similar, but ASA does not display hostnames by default unless DNS is configured. In terms of version differences, ASA 9.x and later support the same syntax. Equivalent commands on other platforms: on Linux, 'traceroute -I' for ICMP or 'traceroute -U' for UDP; on Windows, 'tracert' uses ICMP. On routers, 'traceroute' is standard. For ASA, the command is available in Privileged EXEC mode and does not require configuration. Note that the ASA's control plane may rate-limit ICMP, so traceroute responses may be delayed. Also, the ASA itself can be a target of traceroute; it will respond with ICMP Time Exceeded if TTL expires, but only if ICMP inspection is enabled. By default, the ASA allows ICMP traffic that is part of an existing connection, but for traceroute responses, you may need to configure ICMP rules.
Related Commands
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions