Ping Alternative !!

Unanswered Question
Mar 6th, 2008
User Badges:

hi all, in our scenario ISP has blocked ICMP on our WAN IPs ( private ip given to router interface to connect to ISP network ) like 192.168.1.1/30 etc, when we want to troubleshoot gre tunnel we try to ping the destination ip but it doesnt respond so we are not clear that is it due to blocked ICMP or other networking issue, is there any other type of trace that we can use to see that if that ip is alive or not, even when icmp is blocked !!



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
milan.kulik Fri, 03/07/2008 - 02:17
User Badges:
  • Red, 2250 points or more

Hi,


if you try traceroute to a destination address which should be routed through the tunnel, don't you see the router interface replying?


BR,

Milan

Goutam Sanyal Fri, 03/07/2008 - 02:38
User Badges:
  • Silver, 250 points or more

Hi Milan,


Its not clear to me!!! Please back with details.


As per my knowledge "traceroute" is also use ICMP request, which is blocked by ISP.


Thanks

Goutam




illusion_rox Fri, 03/07/2008 - 02:41
User Badges:

hi milan, he is right, traceroute will not work since icmp is blocked, so is there any other way ??

marikakis Fri, 03/07/2008 - 02:53
User Badges:
  • Gold, 750 points or more

Hello,


When I saw your question I considered writing some code about a TCP-based traceroute. Then I thought this would probably have already been done and it seems so. You could try the Layer4 LFT traceroute. It is supposed to manage to get through some firewalls. Cannot try it now. I will try it later. Please tell us if this works for you.


http://www.askapache.com/tools/lft-traceroute-tool.html

http://pwhois.org/lft/


Kind Regards,

M.

Goutam Sanyal Fri, 03/07/2008 - 02:53
User Badges:
  • Silver, 250 points or more

Hi,


I don't know the exact solution. But I can suggest you to put an officially request to your ISP to allow the ICMP traffic for your Network IP range to maintain Network Infrastructures and also monitoring purpose. If it is P2P then ISP is not in picture, either if MPLS, FR then some time some ISP put ICMP traffic to lower priority.


Hope I am informative and best of luck.


Thanks

Goutam


***Use rating sys***


milan.kulik Fri, 03/07/2008 - 02:48
User Badges:
  • Red, 2250 points or more

Hi Goutam,


what's blocked exactly?

a)A Ping to the router WAN interface?

b)Any ICMP traffic from the router WAN interface?


If only a), trace from a Cisco router might help (using UDP by Cisco implementation).


If b), you are in a real trouble.

One stupid question: Wouldn't be possible to use LAN interface as the tunnel end?


BR,

Milan



Goutam Sanyal Fri, 03/07/2008 - 03:23
User Badges:
  • Silver, 250 points or more

Hi Milan,


Let me share you something.


We are using some VSAT connection for our enterprise network. But at the beginning of the time of installation the ISP was not allowed any ICMP traffic to there network. As a result from our router we were not able to ping to our remote end. After putting a request to them, they allow that traffic with a very poor response to know the aliveness to the remote site.


Now if “a”, how can I trace the remote site weather it is alive or not? And “b” no idea.


Marikakis has suggested that link, which is useful, but is that possible if my ISP stop passing ICMP request through their network, how can I know that my remote site is alive by the help of CISCO IOS?


Any suggestion?


Thanks

Goutam


milan.kulik Fri, 03/07/2008 - 05:53
User Badges:
  • Red, 2250 points or more

Hi Goutam,


as Kevin said, The ISP can hide his infrastructure for you by blocking TTL expired messages.


What devices do you have available if "the help of CISCO IOS" required?

Your routers behind the ISP ones?

The original question mentioned some GRE tunnels, is it your problem, too?


BR,

Milan




Kevin Dorrell Fri, 03/07/2008 - 03:14
User Badges:
  • Green, 3000 points or more

Traceroute behaves differently depending on the system you are tracing from. If you trace from a router, it is in fact a UDP packet, and you can even choose which port it uses. Here is some research I did on the subject:


http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=WAN%2C%20Routing%20and%20Switching&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.2cbe961e


What you can find, however, is that the ISP may not send you "TTL expired" messages. That makes the trace less useful.


Kevin Dorrell

Luxembourg


Actions

This Discussion