Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Mike_Jensen
Collaborator

Strange Windows tracert results

Has anybody every experienced or know why a Windows 10 tracert would only show 1 hop no matter the destination?

For example when I do a tracert to 4.2.2.2 Windows reports the trace is complete with just 1 hop directly to 4.2.2.2.  I do not have any proxy device in front of this host that would do the tracert on its behalf.

 

C:\Users\user>tracert 4.2.2.2

Tracing route to b.resolvers.level3.net [4.2.2.2]
over a maximum of 30 hops:

1 13 ms 13 ms 12 ms b.resolvers.level3.net [4.2.2.2]

Trace complete.

C:\Users\user>

 

When I do the above and capture traffic on my Check Point appliance which is the default gateway for this host it seems what really happens is only icmp ping's, not any TTL expired stuff that I am used to seeing.  (screen shot attached).

 

 

 

0 Kudos
3 Replies
Timothy_Hall
Champion
Champion

I'm assuming you captured on the internal interface of the Check Point facing the initiator of the tracert.  Is the initiator on the same subnet/VLAN as the internal interface on which you ran the capture?  A few things:

1) Not sure why both source and destination MAC addresses belong to Check Point, do you have more than one firewall?  This may indicate the firewall is doing something strange there, do you have the IPS Signature TTL Masking enabled?

2) If the capture is to be believed, the first tracert packet is being sent with a TTL of 127, but it really should be 1, then 2, etc.  If you install Wireshark on your Windows 10 box and you see the 127 TTL originating there that is the source of your problem.

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Mike_Jensen
Collaborator

Hello,

I took the first capture on the outside interface of the firewall, not the interface directly connected to the host.  Is that why the source and destination MAC's are both Check Point?  Frames received on one Check Point interface and out another.  This is ClusterXL HA of 2 firewalls.

 

I don't have TTL Masking enabled.

 

I ran Wireshark directly from the Windows 10 machine (screen shot attached) and the TTL is indeed starting at 128.

I have never seen this before.  This means that the Windows OS is not setting the correct TTL?

0 Kudos
Timothy_Hall
Champion
Champion

It looks like Windows 10 is the source of your problem, just tried the same traceroute from my Windows 10 box and it works as expected (capture below).  Perhaps try tracert -d -h 1 4.2.2.2 

tracert.png

It appears tracert sends a probe with a regular TTL first then starts at 1, perhaps your Windows tracert is never getting out of that probe mode because the echo reply is getting blocked or otherwise not making it back?  Very strange...

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos