Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Tracert Timeouts

Hi all,

Can you help me determine why I am getting timeouts on my tracert tests. Essentially I get a response from my gateway, and the next hop after (edge router, but then I get nothing after that. The next hope would be a router administrated by our umbrella organization - but here is the unsual part, I eventually do receive the last or destination hop back.

So a tracert to yahoo looks like this:

1 <1 ms <1 ms <1 ms 10.4.4.2

2 * * * Request timed out.

3 * * * Request timed out.

4 * * * Request timed out.

5 * * * Request timed out.

6 * * * Request timed out.

7 * * * Request timed out.

8 * * * Request timed out.

9 * * * Request timed out.

10 * * * Request timed out.

11 * * * Request timed out.

12 * * * Request timed out.

13 * * * Request timed out.

14 22 ms 20 ms 21 ms 69.147.76.15

A tracert to my Edge Router looks like this:

C:\Documents and Settings\deckard>tracert 164.106.71.1

Tracing route to 164.106.71.1 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 10.4.4.2

2 1 ms 1 ms 1 ms 153.109.69.1

Trace complete.

A tracert to the next hop router (admined by our umbrella organization) looks like this:

C:\Documents and Settings\deckard>tracert 153.109.1.1

Tracing route to ns1.cc.va.us [153.109.1.1]

over a maximum of 30 hops:

1 <1 ms 1 ms <1 ms 10.4.4.2

2 * * * Request timed out.

3 * * * Request timed out.

4 * * * Request timed out.

5 13 ms 12 ms 13 ms blah.blah.blah [153.109.1.1]

Trace complete.

Am I correct in saying that the return traffic is being blocked by our parent company (153.109.1.1)?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Tracert Timeouts

Tracert works using ICMP. It sends an ICMP echo request with a low TTL number to find each hope along the path. Intermediate hops should reply with an ICMP time exceeded message where as the final destination should reply with an ICMP echo reply. It could be that the intermediate gateways are not sending back or blocking the time exceeded message (type 11, code 0), but allowing echo reply (type 0, code 0).

A lot of firewalls allow time exceeded in, but do not permit it out.

3 REPLIES
Cisco Employee

Re: Tracert Timeouts

Tracert works using ICMP. It sends an ICMP echo request with a low TTL number to find each hope along the path. Intermediate hops should reply with an ICMP time exceeded message where as the final destination should reply with an ICMP echo reply. It could be that the intermediate gateways are not sending back or blocking the time exceeded message (type 11, code 0), but allowing echo reply (type 0, code 0).

A lot of firewalls allow time exceeded in, but do not permit it out.

New Member

Re: Tracert Timeouts

Thanks for your help. I shamefully admit that I was blocking the Time Exceeded packets from coming into my network.

Problem solved.

Are there any major DOS attacks I expose myself to by leaving it open?

Thanks, again.

Cisco Employee

Re: Tracert Timeouts

I allow type 11 in (in addition to types 0, 3, and 4). This message is typically safe.

404
Views
0
Helpful
3
Replies