Tracert Timeouts

Answered Question
Aug 24th, 2009

Hi all,

Can you help me determine why I am getting timeouts on my tracert tests. Essentially I get a response from my gateway, and the next hop after (edge router, but then I get nothing after that. The next hope would be a router administrated by our umbrella organization - but here is the unsual part, I eventually do receive the last or destination hop back.

So a tracert to yahoo looks like this:

1 <1 ms <1 ms <1 ms 10.4.4.2

2 * * * Request timed out.

3 * * * Request timed out.

4 * * * Request timed out.

5 * * * Request timed out.

6 * * * Request timed out.

7 * * * Request timed out.

8 * * * Request timed out.

9 * * * Request timed out.

10 * * * Request timed out.

11 * * * Request timed out.

12 * * * Request timed out.

13 * * * Request timed out.

14 22 ms 20 ms 21 ms 69.147.76.15

A tracert to my Edge Router looks like this:

C:\Documents and Settings\deckard>tracert 164.106.71.1

Tracing route to 164.106.71.1 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 10.4.4.2

2 1 ms 1 ms 1 ms 153.109.69.1

Trace complete.

A tracert to the next hop router (admined by our umbrella organization) looks like this:

C:\Documents and Settings\deckard>tracert 153.109.1.1

Tracing route to ns1.cc.va.us [153.109.1.1]

over a maximum of 30 hops:

1 <1 ms 1 ms <1 ms 10.4.4.2

2 * * * Request timed out.

3 * * * Request timed out.

4 * * * Request timed out.

5 13 ms 12 ms 13 ms blah.blah.blah [153.109.1.1]

Trace complete.

Am I correct in saying that the return traffic is being blocked by our parent company (153.109.1.1)?

I have this problem too.
0 votes
Correct Answer by Joe Clarke about 7 years 3 months ago

Tracert works using ICMP. It sends an ICMP echo request with a low TTL number to find each hope along the path. Intermediate hops should reply with an ICMP time exceeded message where as the final destination should reply with an ICMP echo reply. It could be that the intermediate gateways are not sending back or blocking the time exceeded message (type 11, code 0), but allowing echo reply (type 0, code 0).

A lot of firewalls allow time exceeded in, but do not permit it out.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Joe Clarke Mon, 08/24/2009 - 07:21

Tracert works using ICMP. It sends an ICMP echo request with a low TTL number to find each hope along the path. Intermediate hops should reply with an ICMP time exceeded message where as the final destination should reply with an ICMP echo reply. It could be that the intermediate gateways are not sending back or blocking the time exceeded message (type 11, code 0), but allowing echo reply (type 0, code 0).

A lot of firewalls allow time exceeded in, but do not permit it out.

oneirishpollack Mon, 08/24/2009 - 07:31

Thanks for your help. I shamefully admit that I was blocking the Time Exceeded packets from coming into my network.

Problem solved.

Are there any major DOS attacks I expose myself to by leaving it open?

Thanks, again.

Joe Clarke Mon, 08/24/2009 - 07:35

I allow type 11 in (in addition to types 0, 3, and 4). This message is typically safe.

Actions

This Discussion