Re: (HELP!) tracert problems
- From: "Ace Fekay [MCT]" <aceman@xxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 17 Jul 2009 01:15:38 -0400
"bernie sprouster" <mike.cutts@xxxxxxxxxxxxx> wrote in message news:883033cb-ea66-4447-894e-df820e03e9d2@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi,
I have a problem with tracert displaying differing results depending
on the network it is running it from. The problem is as follows:
We have deployed an RDP system to a client (over the web via L2TP/
IPSec) which seems to drop the connection every so often. We have no
problems from our network and the connection at the client site is
part of a corporate net connection, which has had no issues regarding
connectivity. The length of time between the connection drop seems to
differ, as does the time it takes to reconnect.
I have a firewall in place in front of the server serving the RDP
solution (Cisco ASA model) which has echo requests enabled to it. If I
tracert to it from one network I get a response similar to the
following:
1 <1 ms <1 ms <1 ms 192.x.x.x
2 1 ms <1 ms <1 ms 213.x.x.x
3 26 ms 26 ms 25 ms 85.x.x.x
4 26 ms 26 ms 26 ms 85.x.x.x
5 32 ms 32 ms 35 ms 195..x.x.x
6 34 ms 35 ms 35 ms 83.x.x.x
7 65 ms 50 ms 45 ms 83.x.x.x
Hop 7 in the above trace is the final IP address which resolves
correctly. If a tracert is performed on the client's site, we get a
response as follows which is exactly the same each time:
1 <1 ms 2 ms <1 ms 194.x.x.x
2 <1 ms <1 ms <1 ms 192.x.x.x
3 1 ms 1 ms 1 ms 10.x.x.x
4 1 ms 1 ms 1 ms 172.x.x.x
5 1 ms 1 ms <1 ms 172.x.x.x
6 1 ms 1 ms 1 ms 81.x.x.x
7 2 ms 2 ms 2 ms 81.x.x.x
8 3 ms 2 ms 2 ms 81.x.x.x
9 2 ms 2 ms 2 ms 81.x.x.x
10 5 ms 3 ms 3 ms 81.x.x.x
11 3 ms 2 ms 2 ms 172.x.x.x
12 3 ms 3 ms 2 ms 83.x.x.x
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 * * * Request timed out.
24 * * * Request timed out.
25 14 ms 13 ms 14 ms 83.x.x.x
Both Hop 12 and hop 25 are the final IP address, but I can't see any
reason why there are 12 timed out hops in between.
We then took the step of disabling all echo requests on the firewall
and trying the tracert again from both sites. The one from my
(working) site behaves as I would expect, in that it stops at hop 6
and any further hops timeout.
However, a further tracert from the failing site times out after hop
12, suggesting it has received a response from the final IP address.
The 2 things which are puzzling me are 1) why is it getting a response
from a firewall which has had all echo requests disabled on it and 2)
why is the response time in hop 12 of the failing site so quick, when
it has to travel the internet (supposedly) before it receives a
response. The minimum amount of time I've seen from our (working)
network for the last hop is around 30ms, which is way above the 3 ms
it took at the failing site.
Any suggestions on this one would be most welcome.
Thanks.
For tracerts to work for the response to come back through a PIX or ASA, it has to be explitly allowed.
For Pix 5 or newer:
access-group 101 in interface outside
access-list 101 permit icmp any host 209.165.200.246 unreachable
access-list 101 permit icmp any host 209.165.200.246 time-exceeded
access-list 101 permit icmp any host 209.165.200.246 echo-reply
More info:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800e9312.shtml#topic1a
Also, if you are trying to tracert from an external source through a Pix to an internal resource, such as web server, a Pix does not support the traceroute command. When a traceroute is issued from the outside, the PIX does not display its own interface IP address nor does it display the IP addresses of the inside networks. The destination address is displayed multiple times for each internal hop.
In PIX version 6.3 and later, this behavior can be undone if the fixup protocol icmp error command is issued. When this feature is enabled, the PIX creates xlates for intermediate hops that send Internet Control Message Protocol (ICMP) error messages, based on the static NAT configuration. The PIX overwrites the packet with the translated IP addresses.
More info:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#trace
This applies to Pix and the ASA.
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.
Please reply back to the newsgroup or forum to benefit from collaboration among responding engineers, and to help others benefit from your resolution.
Ace Fekay, MCT, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer
aceman@xxxxxxxxxxxxxxxxxxxxxxx
http://twitter.com/acefekay
For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
.
- Follow-Ups:
- Re: (HELP!) tracert problems
- From: bernie sprouster
- Re: (HELP!) tracert problems
- References:
- (HELP!) tracert problems
- From: bernie sprouster
- (HELP!) tracert problems
- Prev by Date: Re: setting up remote dc that will access main SBS server via VPN
- Next by Date: Re: Routing Table Issue
- Previous by thread: (HELP!) tracert problems
- Next by thread: Re: (HELP!) tracert problems
- Index(es):
Relevant Pages
|
