11-27-2013 09:56 AM - edited 03-04-2019 09:42 PM
Hello all
This is probably an easy question but I don't see how this is happening and we don't have any outages or problems that I know of.
In one of our buildings (out of several) when we do a trace route from a switch (C3560-IPSERVICESK9-M) to any address, the internal devices that appear in the traceroute resolve to the same name:
Type escape sequence to abort.
Tracing the route to 8.8.4.4
1 www.quartics.com (10.37.24.2) 0 msec 0 msec 8 msec (ours)
2 www.quartics.com (10.37.23.4) 0 msec 0 msec 0 msec(ours)
3 www.quartics.com (10.37.123.1) 0 msec 0 msec 0 msec (ours)
4 67.131.23.201 8 msec 0 msec 0 msec
5 * * *
6 206.80.210.161 34 msec 8 msec 9 msec
7 * * *
8 * *
We do not have any entries in our DNS servers with www.quartics.com.
How do I debug this issue?
Your assistance would be greatly appreciated
11-27-2013 11:10 AM
I would agree that this output is strange. You ask how to debug this issue and I will offer these suggestions:
- what is configured on that switch for name server?
- is the name server configured for that switch the same or different from the name server for other network devices?
- what are the devices at 10.37.24.2) 10.37.23.4 and at 10.37.123.1?
- perhaps if you post the configuration of the switch we might find something?
HTH
Rick
11-27-2013 11:37 AM
11-27-2013 12:27 PM
Thank you for the additional information. I have looked through the config that you posted and do not see any configured name server on the switch. With no name server I am puzzled that there is any name resolution in the traceroute output. So this is one more strange thing in this situation. If you do traceroute to other external addresses does it do the same thing? If you do traceroute to internal addresses does it do the same kind of thing?
HTH
Rick
11-27-2013 12:33 PM
Yes it looks the same way for both internal and other extenal IP addresses.
Could this be caused by an unknown (to me) device?
11-27-2013 12:39 PM
It is interesting that it does it for both internal and external destinations. Perhaps the next step that I would suggest would be to do a packet capture on traffic sent by the switch. In the capture look especially for any request for DNS sent by the switch and if you see requests then look for who is sending responses.
Since I do not see how the switch could do this on its own then I would think that there must be some (currently unknown) device involved.
HTH
Rick
11-27-2013 12:52 PM
I will try that next, I won't be able to do this until Monday the 27th of November but I sure do appreciate your input on the issue.
I will post my pcaps on Monday.
Thanks again Richard
11-28-2013 09:13 AM
Hi Richard / Coco ,
I have some different opinion than you shared . Original poster has attached only the source switch which he has used in trace .... See below from the attachment . However if you see then first hop address will be the gateway which is being resolved always
ip default-gateway 10.37.24.2
1 www.quartics.com (10.37.24.2) 0 msec 0 msec 8 msec (ours)
I would suggest to have the device 10.37.24.2's configuration to be attached too for further diagnose .
Majed
11-28-2013 09:34 AM
Majed
It might be interesting to see the configuration from the gateway. But I have difficulty in understanding how anything on the gateway would influence the output of traceroute on the switch. As I understand the original post it is not a problem with what path is chosen (and for that the gateway is certainly a crucial part). The problem is that a name is in the output of traceroute and how does that name get there?
The traceroute packet goes out with a numerical IP address. The traceroute response comes back with a numerical IP address. There is no field in the traceroute for the gateway to insert a name. So I do not see any way for the name to get into the output except for something being done on the switch. If you can suggest some way that the gateway is affecting the format of output on the switch I would certainly be interested in hearing it.
HTH
Rick
11-30-2013 09:06 PM
11-29-2013 12:28 AM
Hi,
it would be interesting to get
show hosts
output from your switch before and after the traceroute command issued.
Best regards,
Milan
11-30-2013 09:16 PM
MIlan
Thanks, we are getting closer - Traceroute followed by a show hosts. Done from a different switch than the one at the beginning of the string. That particular switch has stopped showing the "www.quartics.com". Note, we
2CF-KING1-3560G-2#traceroute 8.8.8.8
Type escape sequence to abort.
Tracing the route to www.quartics.com (8.8.8.8)
1 10.37.24.2 0 msec 0 msec 9 msec
2 www.quartics.com (10.37.24.4) 0 msec 0 msec 0 msec
3 www.quartics.com (10.37.123.1) 0 msec 8 msec 0 msec
4 www.quartics.com (67.131.23.201) 0 msec 9 msec 0 msec
5 * * *
6 www.quartics.com (206.80.210.161) 8 msec 9 msec 8 msec
7 * * *
8
2CF-KING1-3560G-2#sh hosts
Default domain is not set
Name/address lookup uses static mappings
Codes: u - unknown, e - expired, * - OK, ? - revalidate
t - temporary, p - permanent
Host Port Flags Age Type Address(es)
hadar.avaz.com None (temp, OK) 0 IP 10.119.23.1
www.quartics.com None (temp, OK) 0 IP 10.119.23.1
8.8.8.8
10.37.24.4
10.37.123.1
67.131.23.201
65.118.86.165
206.80.210.161
2CF-KING1-3560G-2#
12-01-2013 12:47 AM
Hi,
believe there could be some strange (misconfigured) device in your LAN sending rogue DNS requests/replies.
As one of your switches stopped showing the strange DNS names while another started?!
I'm not sure what is the DNS cache timer on the switches.
So it would be interesting to start capturing DNS traffic by Wireshark, I guess?
And possibly to reboot the switch to see if it gives the same output again?
Best regards,
Milan
12-01-2013 06:16 AM
I have looked at the router config that was posted and do not find anything in it that helps explain the strange DNS behavior. I agree with Milan that capturing traffic with something like Wireshark and looking for DNS traffic would be a good next step.
It is certainly interesting that the behavior stopped on the original switch and started on another switch. Is it possible to determine whether there have been any config changes or any device reboot on either of these switches?
HTH
Rick
12-04-2013 09:28 AM
I apologize for not getting back to you earlier
I should have a pcap later tonight. I have been doing a "no ip domain-lookup' on the switches just to remove the hosts from appearing on the traceroutes but I know the problem persists.
I have consulted again with our Facilities department and it appears that the users in this facility installed a couple of networked TVs that they failed to notify the IT department about, I'm trying to locate the IP addresses to see if they are causing any issues. The host www.quartics.com is a video processor company from what I have found out. They must have found active network jacks to connect them to.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide