I have 2 server behind a CSS one is a windows and the other one is a Solaris, both of them given the same service through the same content, and both in the same source-nat-group, both servers need to do traceroute to the internet, the windows one send traceroute using icmp and solaris uses UDP, I can do traceroute from windows box using icmp through de CSS but I can't do traceroute from Solaris box using UDP.
I have found this info:
Traceroute is not quite so straight forward. Different platforms perform traceroute in different manners (UDP, ICMP, and so on), and it is not the port number alone which signifies that something is a traceroute packet.
The CSS does not setup flows for ICMP packets at all. The check for a traceroute packet says to not setup a flow if the following conditions exist:
1. Protocol is UDP.
2. The source port is less than 32769.
3. The destination port is less than 33434.
4. The UDP data length is less than 20.
5. There is 1 byte sequence number in UDP portion.
6. There is 1 byte original TTL.
If all these conditions are true, you will not setup a flow for this packet.
but even ICMP doesn't setup a flow the traceroute works fine, but doesn't work it traceroute use UDP as for Solaris.
Ping to the internet works fine from both servers.
I will appreciate some help...
Are you using source group for Solaris server?
If yes can you try making the Solaris box routable by removing it from group and see if it works.
Its been a while for me with CSS (and I dont have access to a CSS box to test it) but if memory serves me right then there is some issue with UDP trace-route & source-group combination.
Reason being the destination unreachables sent from intermediate hosts are dropped by CSS as its expecting it from the final destination only.
Syed Iftekhar Ahmed