Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
637
Views
6
Helpful
11
Replies

traceroute issue

lukaszkhalil
Level 1
Level 1

‎05-08-2008 11:24 AM - edited ‎03-05-2019 10:51 PM

Hello

In our network, when we do a traceroute the last hop appears 2 time, instead of one.

Does anybody know what might be a reason for such traceroute behavior?

Thanks in advance for your answers

Labels:
0 Helpful
11 Replies 11

lamav
Level 8
Level 8

‎05-08-2008 11:36 AM

You know, I ve seen that before, but have never been able to pinpoint the reason. I think that the reason that happens is that your trace has run into a security appliance and the repetitive hops are being sent to mask the actual hops.

Again, dont quote me and dont say "thanks for the great info," because I am not sure. But this is my take on it.

Thanks

Victor

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to lamav

‎05-08-2008 11:57 AM

Lukasz

I am not quite clear when you say that the last hop appears twice whether you mean something like this:

traceroute 10.26.67.226

Type escape sequence to abort.

Tracing the route to 10.26.67.226

1 10.26.68.1 24 msec 24 msec 28 msec

2 10.26.67.226 44 msec * 48 msec

where there are 2 response times reported or whether you mean something else.

If this is what you mean then I believe that the explanation is that the router to which you are doing the traceroute is rate limiting its responses, so that it responds to the first probe, rate limits its response to the second probe, and responds to the third probe.

If you meant something different then perhaps you can post an example of what you are talking about.

HTH

Rick

HTH

Rick
0 Helpful

lamav
Level 8
Level 8
In response to Richard Burts

‎05-08-2008 12:18 PM

Rick:

I took it to mean that the last hop (the entire line) appears twice (sometimes more) when doing the trace.

Example (last hop):

10.26.68.1 24 msec 24 msec 28 msec

10.26.68.1 24 msec 24 msec 28 msec

10.26.68.1 24 msec 24 msec 28 msec

Thats happened to me, so thats how I interpreted his problem.

Victor

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to lamav

‎05-08-2008 08:42 PM

Victor

I can think of 2 logical explanations for the situation that you describe.

1) when the traceroute reaches the destination, the destination station should respond with some response other than the time exceeded (if it is a Cisco/Unix traceroute using UDP packets it should respond with port unreachable and if it is a Windows traceroute using echo request it should respond with echo response). As long as the sending station receives time exceeded messages (or some other response which is not interpreted as being the destination) it should continue to increment the TTL and send probes again. So your situation could be caused if the destintion is not sending the expected response.

2) there could be some firewall (or similar device) which is intercepting the probe packets and sending some response such as time exceeded.

It would be interesting to know what situation Lukasz has been dealing with.

HTH

Rick

HTH

Rick
0 Helpful

lukaszkhalil
Level 1
Level 1
In response to Richard Burts

‎05-15-2008 05:03 AM

Hello

Sorry I was on holidays.

It does not meter which server we are trying to trace. Every time we received two answers as the last hop. We try a trace from a PC and from a Cisco router but every time the result is the same.

We have a L2 FW on the road of the packets between the station that is doing ping and the final server.

When I have tried to do the trace on the path that do not pass the L2 FW the last hop appears only once.

I have attached the general diagram of the network. I am doing a trace from the PC to the SRV.

Regards

Lukasz

Preview file
11 KB
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to lukaszkhalil

‎05-15-2008 07:12 AM

Lukasz

I have looked at the diagram that you posted and it helps a bit to understand the situation. It would be even more helpful if you would post the output from the trace.

Also from the diagram it looks like the router that is connected to the PC would have 2 paths (2 routes) to the subnet where the server is located. If that router were doing per packet load sharing it might explain the symptoms that you describe. Would you post the config of the router to which the PX is connected?

HTH

Rick

HTH

Rick
0 Helpful

lukaszkhalil
Level 1
Level 1
In response to Richard Burts

‎05-15-2008 10:51 PM

Hello

It is true that the router with PC 2 (router X) has two redundant paths to the same destination. It is using CEF with the default per-destination load-balancing.

Unfortunately I cannot post the config.

The output looks quite simple

RouterX#traceroute 192.168.0.1

Type escape sequence to abort.

Tracing the route to 192.168.0.1

1 192.168.0.1 0 msec 0 msec 0 msec

2 192.168.0.1 4 msec 0 msec 0 msec

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to lukaszkhalil

‎05-16-2008 06:28 AM

Lukasz

Given the limited amount of information we do not know for sure. But at this point I would agree with Victor that it is most likely that the firewall is the one that is generating the responses and is responsible for the multiple entries with the same address.

HTH

Rick

HTH

Rick
0 Helpful

noran01
Level 3
Level 3

‎05-08-2008 11:59 AM

Either some of your packets occasionally find a path with a shorter hop-count so that the destination is reached earlier than expected with the TTL discovery mechanism, or the last hop is a firewall that is spoofing the TTL Exceeded returns.

lukaszkhalil
Level 1
Level 1
In response to noran01

‎05-26-2008 12:02 PM

Hello

We have found out that we were missing the fixup for icmp errors on our FW.

After we configure it the trace looks correctly.

Thanks

Lucas

Richard Burts
Hall of Fame
Hall of Fame
In response to lukaszkhalil

‎05-26-2008 02:47 PM

Lucas

Thank you for posting back to the forum and indicating that the problem was solved and what the solution of the problem was. I am glad that Victor and I correctly suspected that it was a firewall issue. It makes the forum more useful when people can read about a problem and can read what resolved the problem.

The forum is an excellent place to learn about Cisco networking. I encourage you to continue your participation in the forum.

HTH

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card