topic Re: asg_tracert in Hyperscale Firewall (Maestro)

asg_tracert

Timothy_Hall — Sat, 10 Jan 2026 15:39:43 GMT

At one point, it was recommended on Scalable Platforms to always use asg_tracert instead of the native tracert/traceroute tools to ensure accurate results. Is this still the case in Maestro? Are the native traceroute/tracert tools just links to asg_tracert on those platforms? I don't have an active Maestro system readily available to check this. Thanks!

Re: asg_tracert

Lesley — Sat, 10 Jan 2026 16:45:55 GMT

The 82 Maestro admin guide still shows below comment so it is still a relevant command to use.

The native Linux "tracert" utility cannot handle the "tracert" pings correctly because of the stickiness mechanism used in the Security Group Firewall.

Re: asg_tracert

Timothy_Hall — Sun, 11 Jan 2026 15:01:17 GMT

Does this apply to the traceroute command as well, which uses UDP datagrams instead of tracert, which uses ICMP echo requests for probes?

Re: asg_tracert

the_rock — Sun, 11 Jan 2026 22:02:17 GMT

Seems like it. From the guide:

Traceroute (asg_tracert)

Description

Use the "asg_tracert" command in Gaia gClish or the Expert mode to show correct tracert results on the Security Group.

The native "tracert" cannot handle the "tracert" pings correctly because of the stickiness mechanism used in the Security Group Firewall.

The "asg_tracert" command supports all native options and parameters of the tracert command.

Re: asg_tracert

Lesley — Tue, 13 Jan 2026 18:19:21 GMT

If you want i can run some commands for you on Maestro just PM me what you want me to test

Re: asg_tracert

Bob_Zimmerman — Tue, 13 Jan 2026 22:01:04 GMT

asg_tracert is a lot slower, but seems to produce more consistent output:

[Expert@DallasticXL-s01-02:0]# time traceroute -n 1.1.1.1 traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 40 byte packets 1 10.0.1.1 2.704 ms 2.580 ms 2.504 ms 2 w.x.y.z 33.097 ms 32.992 ms 33.100 ms 3 184.19.247.176 33.266 ms 184.19.247.178 33.143 ms 184.19.247.176 33.269 ms 4 74.40.10.208 34.011 ms 34.291 ms 34.590 ms 5 74.40.10.110 34.145 ms 33.834 ms 33.989 ms 6 45.52.201.127 37.234 ms 34.560 ms 34.311 ms 7 * 141.101.74.63 34.983 ms 141.101.74.207 35.792 ms 8 141.101.74.53 35.982 ms 1.1.1.1 35.249 ms 141.101.74.195 35.816 ms real 0m5.010s user 0m0.000s sys 0m0.004s [Expert@DallasticXL-s01-02:0]# time asg_tracert -n 1.1.1.1 traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 40 byte packets 1 10.0.1.1 1.482 ms 0.679 ms 0.623 ms 2 w.x.y.z 3.919 ms 1.782 ms 2.858 ms 3 184.19.247.176 2.829 ms 2.158 ms 2.412 ms 4 74.40.10.208 3.598 ms 3.267 ms 2.967 ms 5 45.52.201.125 29.442 ms 3.317 ms 3.996 ms 6 * 74.43.94.161 17.415 ms 10.169 ms 7 141.101.74.65 3.674 ms 49.604 ms 3.658 ms 8 1.1.1.1 3.394 ms 3.312 ms 3.433 ms real 0m12.507s user 0m0.003s sys 0m0.008s

Re: asg_tracert

Gennady — Wed, 14 Jan 2026 07:26:08 GMT

Good day!

Out of curiosity I decided to check what asg_tracert is. "whereis asg_tracert" returns "/opt/CPsmo-R81.20/bin/asg_tracert"

"less /opt/CPsmo-R81.20/bin/asg_tracert" reviels that the asg script contains only one command call: "tracert -z 500 $@"

Then we can compare md5sum for @"/usr/bin/traceroute" and "/usr/bin/tracert" and result is the same!

-z is "sendwait" which explains why asg_tracert works slower

Re: asg_tracert

Lari_Luoma — Sat, 31 Jan 2026 06:25:17 GMT

Hi Tim,
Honestly, I have never used asg_tracert command. 🙂

Re: asg_tracert

Timothy_Hall — Sat, 31 Jan 2026 14:03:55 GMT

Thanks Lari, I was trying to figure out if asg_tracert was just a relic left over from the Scalable Platform Chassis days or if it still applied in Maestro.

Re: asg_tracert

Lari_Luoma — Mon, 02 Feb 2026 22:44:02 GMT

@Timothy_Hall I made some investigations. Here is what I found.

Maestro has three tools for traceroute.

traceroute – Standard Linux traceroute using UDP. Runs on the local SGM where you execute it.
tracert – Windows‑style traceroute using ICMP. Also runs locally on the SGM.
asg_tracert – Uses ICMP, but runs on the Flow Owner (FO) for the destination, not necessarily the SGM you’re logged into. You can confirm the FO with dxl calc.

Re: asg_tracert

Lari_Luoma — Mon, 02 Feb 2026 22:39:28 GMT

See how asg_tracert and tracert have different results? If I go to the flow owner (SGM 2 in my case() and run tracert, the result is the same as for asg_tracert from SGM1.

Re: asg_tracert

WiliRGasparetto — Tue, 03 Feb 2026 00:59:15 GMT

Good evening, Tim. I have a lab environment set up here at NTSEC’s SKO with a Maestro cluster. I’m going to run some tests and analyze the behavior, and then I’ll get back to you with my findings and perspective on the topic.

Re: asg_tracert

Timothy_Hall — Tue, 03 Feb 2026 23:49:03 GMT

Got it, thanks Lari. So, if I am not using asg_tracert, will the return traffic actually come back to the flow owner, and then be corrected to the SGM I actually ran the tracert/traceroute from? I assume the correction does not touch the TTL and thus would not be shown in the tracert/traceroute output?

Re: asg_tracert

Timothy_Hall — Tue, 03 Feb 2026 23:49:44 GMT

That would be great, thanks.

Re: asg_tracert

Lari_Luoma — Thu, 05 Feb 2026 04:04:38 GMT

Yes, that's my understanding. How the correction shows is that some responses are missing in tracert and traceroute outputs when run from the SMO. It's expected that there are more packets missing with ICMP. If I run tracert from the flow owner, there won't be any drops and it looks the same as asg_tracert. UDP and ICMP also behave differently as traceroute only lost one packet.