topic Re: Traceroute Issue in General Topics

Traceroute Issue

Sanjay_S — Fri, 09 Apr 2021 12:35:16 GMT

Hi Team,

We are seeing a very weird behavior when we do the traceroute from the Source to destination behind the firewall. Checkpoint Hop is shown twice in the trace. Shows 2nd Hop as checkpoint and next hop would be based on the routing. Then again 5th Hop is shown as Checkpoint and destination.

Regards,

Sanjay S

Re: Traceroute Issue

PhoneBoy — Fri, 09 Apr 2021 15:23:59 GMT

Sounds like a weird routing/NAT issue.
What version/JHF?
A network diagram would probably be helpful as well.
But I suspect this will require detailed network information to resolve and you might be better off engaging with the TAC.

Re: Traceroute Issue

Sanjay_S — Fri, 09 Apr 2021 16:23:13 GMT

Thank you for helping me on this.

R80.30 and Take 227 is what we are running the firewalls. Captured traffic using fw monitor and i can clearly see it is reaching only once to the firewall. So as you said may be we need to involve TAC and also check the peer directly connected devices as well.

Re: Traceroute Issue

Hugo_vd_Kooij — Tue, 03 Aug 2021 12:01:24 GMT

Interresting. I have seen the same thing with R80.40 as well. But only on traceroute from Windows (ICMP) and not from Linux (UDP).

ICMP packets with TTL=0 and TTL=1 are only seen on the client side interface with fw monitor (`fw monitor -F 0,0,0,0,1`) .

My guess is that on ICMP the TTL count is lowered by 2 instead of 1. As the steps beyond the firewall are always consistent and do show the expected hops.

As we determined that this is just an unexpected thing but otherwise harmless we did not create a ticket for this. I might do it if I can build a lab that shows the same issue. But it would most likely just be for entertainment purposes for now.

Re: Traceroute Issue

Hugo_vd_Kooij — Tue, 03 Aug 2021 12:05:23 GMT

Our customer setup is rather like:

Client ==> Internal router ==> Firewall ==> External router ==> {Internet}