09-02-2008 05:24 AM - edited 03-06-2019 01:07 AM
In a data center environment with three security zones, tracing from an appserver in the middle zone to a db server in the inner zone (through an FWSM) gives results like:
From appserverA
Tracing route to dbserver-42 [10.17.120.32]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 172.31.60.1
2 <1 ms <1 ms <1 ms dbserver-42 [10.17.120.32]
3 <1 ms <1 ms <1 ms dbserver-42 [10.17.120.32]
4 3 ms 3 ms 3 ms dbserver-42 [10.17.120.32]
5 5 ms 3 ms 3 ms dbserver-42 [10.17.120.32]
6 3 ms 3 ms 3 ms dbserver-42 [10.17.120.32]
Trace complete.
The IP config and route tables on both boxes look OK. Tracing from a different appserver to a different dbserver:
From appserverB
Tracing route to dbserver-41.domain.net [10.25.60.41]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 172.31.60.1
2 <1 ms <1 ms <1 ms dbserver-41.domain.net [10.25.60.41]
3 <1 ms <1 ms <1 ms dbserver-41.domain.net [10.25.60.41]
4 <1 ms <1 ms <1 ms dbserver-41.domain.net [10.25.60.41]
5 <1 ms <1 ms <1 ms dbserver-41.domain.net [10.25.60.41]
Trace complete.
---
Any idea what might cause this, and whether it could be impacting performance of the tcp database connections between these servers?
Thanks!
Paul
Solved! Go to Solution.
09-02-2008 05:47 AM
Hi this is happening because of ASA/PIX behaviour , which must be in between dbserver & host from where you are executing the traceroute.
The PIX does not support the traceroute command. When a traceroute is issued from the outside, the PIX
does not display its own interface IP address nor does it display the IP addresses of the inside networks.
The
destination address is displayed multiple times for each internal hop.
When NAT is enabled in PIX 7.0, the IP addresses of the PIX interfaces and the real IP addresses of the
intermediate hops cannot be seen. However, in PIX 7.0, NAT is not essential and can be disabled with the no
nat-control command. If the NAT rule is removed, the real IP address can be seen if it is a routeable one.
HTH..rate if helpful
09-02-2008 05:53 AM
To make ASA/PIX showup as hop in tracert you need to apply "set connection decrement-ttl" in "global_policy" in "default_class"
Apart from above need to allow ICMP type 11 & time-exceeded on outside interface of PIX/ASA.
HTH..rate if helpful..
09-02-2008 05:47 AM
Hi this is happening because of ASA/PIX behaviour , which must be in between dbserver & host from where you are executing the traceroute.
The PIX does not support the traceroute command. When a traceroute is issued from the outside, the PIX
does not display its own interface IP address nor does it display the IP addresses of the inside networks.
The
destination address is displayed multiple times for each internal hop.
When NAT is enabled in PIX 7.0, the IP addresses of the PIX interfaces and the real IP addresses of the
intermediate hops cannot be seen. However, in PIX 7.0, NAT is not essential and can be disabled with the no
nat-control command. If the NAT rule is removed, the real IP address can be seen if it is a routeable one.
HTH..rate if helpful
09-02-2008 05:53 AM
To make ASA/PIX showup as hop in tracert you need to apply "set connection decrement-ttl" in "global_policy" in "default_class"
Apart from above need to allow ICMP type 11 & time-exceeded on outside interface of PIX/ASA.
HTH..rate if helpful..
09-02-2008 06:04 AM
Thank you Satish for the very quick and helpful responses. Good to know this is "normal."
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: