hi all, in our scenario ISP has blocked ICMP on our WAN IPs ( private ip given to router interface to connect to ISP network ) like 192.168.1.1/30 etc, when we want to troubleshoot gre tunnel we try to ping the destination ip but it doesnt respond so we are not clear that is it due to blocked ICMP or other networking issue, is there any other type of trace that we can use to see that if that ip is alive or not, even when icmp is blocked !!
if you try traceroute to a destination address which should be routed through the tunnel, don't you see the router interface replying?
Its not clear to me!!! Please back with details.
As per my knowledge "traceroute" is also use ICMP request, which is blocked by ISP.
When I saw your question I considered writing some code about a TCP-based traceroute. Then I thought this would probably have already been done and it seems so. You could try the Layer4 LFT traceroute. It is supposed to manage to get through some firewalls. Cannot try it now. I will try it later. Please tell us if this works for you.
I don't know the exact solution. But I can suggest you to put an officially request to your ISP to allow the ICMP traffic for your Network IP range to maintain Network Infrastructures and also monitoring purpose. If it is P2P then ISP is not in picture, either if MPLS, FR then some time some ISP put ICMP traffic to lower priority.
Hope I am informative and best of luck.
***Use rating sys***
what's blocked exactly?
a)A Ping to the router WAN interface?
b)Any ICMP traffic from the router WAN interface?
If only a), trace from a Cisco router might help (using UDP by Cisco implementation).
If b), you are in a real trouble.
One stupid question: Wouldn't be possible to use LAN interface as the tunnel end?
Let me share you something.
We are using some VSAT connection for our enterprise network. But at the beginning of the time of installation the ISP was not allowed any ICMP traffic to there network. As a result from our router we were not able to ping to our remote end. After putting a request to them, they allow that traffic with a very poor response to know the aliveness to the remote site.
Now if âaâ, how can I trace the remote site weather it is alive or not? And âbâ no idea.
Marikakis has suggested that link, which is useful, but is that possible if my ISP stop passing ICMP request through their network, how can I know that my remote site is alive by the help of CISCO IOS?
as Kevin said, The ISP can hide his infrastructure for you by blocking TTL expired messages.
What devices do you have available if "the help of CISCO IOS" required?
Your routers behind the ISP ones?
The original question mentioned some GRE tunnels, is it your problem, too?
Traceroute behaves differently depending on the system you are tracing from. If you trace from a router, it is in fact a UDP packet, and you can even choose which port it uses. Here is some research I did on the subject:
What you can find, however, is that the ISP may not send you "TTL expired" messages. That makes the trace less useful.