Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4673
Views
0
Helpful
3
Replies

Tracert Timeouts

Go to solution
oneirishpollack
Level 1
Level 1

‎08-24-2009 07:10 AM - edited ‎03-06-2019 07:23 AM

Hi all,

Can you help me determine why I am getting timeouts on my tracert tests. Essentially I get a response from my gateway, and the next hop after (edge router, but then I get nothing after that. The next hope would be a router administrated by our umbrella organization - but here is the unsual part, I eventually do receive the last or destination hop back.

So a tracert to yahoo looks like this:

1 <1 ms <1 ms <1 ms 10.4.4.2

2 * * * Request timed out.

3 * * * Request timed out.

4 * * * Request timed out.

5 * * * Request timed out.

6 * * * Request timed out.

7 * * * Request timed out.

8 * * * Request timed out.

9 * * * Request timed out.

10 * * * Request timed out.

11 * * * Request timed out.

12 * * * Request timed out.

13 * * * Request timed out.

14 22 ms 20 ms 21 ms 69.147.76.15

A tracert to my Edge Router looks like this:

C:\Documents and Settings\deckard>tracert 164.106.71.1

Tracing route to 164.106.71.1 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 10.4.4.2

2 1 ms 1 ms 1 ms 153.109.69.1

Trace complete.

A tracert to the next hop router (admined by our umbrella organization) looks like this:

C:\Documents and Settings\deckard>tracert 153.109.1.1

Tracing route to ns1.cc.va.us [153.109.1.1]

over a maximum of 30 hops:

1 <1 ms 1 ms <1 ms 10.4.4.2

2 * * * Request timed out.

3 * * * Request timed out.

4 * * * Request timed out.

5 13 ms 12 ms 13 ms blah.blah.blah [153.109.1.1]

Trace complete.

Am I correct in saying that the return traffic is being blocked by our parent company (153.109.1.1)?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee

‎08-24-2009 07:21 AM

Tracert works using ICMP. It sends an ICMP echo request with a low TTL number to find each hope along the path. Intermediate hops should reply with an ICMP time exceeded message where as the final destination should reply with an ICMP echo reply. It could be that the intermediate gateways are not sending back or blocking the time exceeded message (type 11, code 0), but allowing echo reply (type 0, code 0).

A lot of firewalls allow time exceeded in, but do not permit it out.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee

‎08-24-2009 07:21 AM

Tracert works using ICMP. It sends an ICMP echo request with a low TTL number to find each hope along the path. Intermediate hops should reply with an ICMP time exceeded message where as the final destination should reply with an ICMP echo reply. It could be that the intermediate gateways are not sending back or blocking the time exceeded message (type 11, code 0), but allowing echo reply (type 0, code 0).

A lot of firewalls allow time exceeded in, but do not permit it out.

0 Helpful

Go to solution
oneirishpollack
Level 1
Level 1
In response to Joe Clarke

‎08-24-2009 07:31 AM

Thanks for your help. I shamefully admit that I was blocking the Time Exceeded packets from coming into my network.

Problem solved.

Are there any major DOS attacks I expose myself to by leaving it open?

Thanks, again.

0 Helpful

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee
In response to oneirishpollack

‎08-24-2009 07:35 AM

I allow type 11 in (in addition to types 0, 3, and 4). This message is typically safe.

0 Helpful
Customers Also Viewed These Support Documents