traceroute

Unanswered Question
Jan 4th, 2010

Hi,

I was asked, why one hop doesn't show in the traceroute from Server1. Hop #2 supposed to show 192.168.2.1. Can share with me the explanation?

Server1
C:\>tracert -d 192.168.6.1

Tracing route to 192.168.6.1 over a maximum of 30 hops

1     3 ms     1 ms     2 ms    172.16.1.1
2     1 ms     2 ms     1 ms    192.168.3.1
3     53 ms    48 ms    50 ms   192.168.4.1
4     50 ms    69 ms    51 ms 192.168.5.1
5     50 ms    57 ms    50ms    192.168.6.1


Server2
C:\>tracert -d 192.168.6.1

Tracing route to 192.168.6.1 over a maximum of 30 hops

1     3 ms     2 ms     3 ms    10.1.1.1
2     3 ms     5 ms     2 ms    172.17.1.1
3     2 ms     2 ms     3 ms    192.168.2.1
4     2 ms     3 ms     3 ms    192.168.3.1
5     53 ms    48 ms    50 ms   192.168.4.1
6     50 ms    69 ms    51 ms 192.168.5.1
7     50 ms    57 ms    50ms    192.168.6.1

Server3
C:\>tracert -d 192.168.6.254

Tracing route to 192.168.6.254 over a maximum of 30 hops

1     3 ms     2 ms     3 ms    10.1.1.1
2     3 ms     5 ms     2 ms    172.17.1.1
3     2 ms     2 ms     3 ms    192.168.2.1
4     2 ms     3 ms     3 ms    192.168.3.1
5     53 ms    48 ms    50 ms   192.168.4.1
6     50 ms    69 ms    51 ms 192.168.5.1
7     50 ms    57 ms    50ms    192.168.6.254

Update: 172.16.1.1 and 172.17.1.1 are Cisco Firewalls while 192.168.2.1 is Juniper Firewall

TIA

Dandy

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
danrya Mon, 01/04/2010 - 22:19

Is the Juniper configured as a routed hop, or a layer 2 (Transparent) firewall.  If it's transparent, it wouldn't show.

Dan

Danilo Dy Wed, 01/06/2010 - 04:17

Nope. Juniper is not configured as transparent hop as it is able to respond to Server 2 and Server 3 as hop 3.

Update: 172.16.1.1 and 172.17.1.1 are 2 security segments from the same Cisco ASA Firewall 8.0(3).

Jon Marshall Wed, 01/06/2010 - 05:15

Dandy

Don't know the answer but to start narrowing it down

1) are the servers running the same OS ?

2) is there any way you can get to 192.168.3.1 from server1 without going through 192.168.2.1 ?

Jon

Danilo Dy Wed, 01/06/2010 - 07:14

Hi Jon,

Thanks.

I will enquire about your query. I have the diagram, I will post a lab version of the diagram here tomorrow.

I will also enquire what is the first hop for Server 2 (10.1.1.1) as they say that 172.17.1.1 is the same firewall as 172.16.1.1 (different interface).

I was trying to simulate the traceroute from my lab and can't get the same result.
- I tried simulating using STATIC NAT with assigned IP and OUTSIDE Interface IP, no luck.
- At first I thought it could be related to this http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml but this article is referring to internal behaviour of ASA. The behaviour that was shared to me is external to the ASA firewall.

It's an interesting behaviour which I want to find out what causes it

Btw, ASA Firewall is using 8.0(3) firmware and setup as Active/Standby

Best wishes,
Dandy

Actions

This Discussion