Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Mike_Jensen
Advisor

Strange Windows tracert results

Has anybody every experienced or know why a Windows 10 tracert would only show 1 hop no matter the destination?

For example when I do a tracert to 4.2.2.2 Windows reports the trace is complete with just 1 hop directly to 4.2.2.2.  I do not have any proxy device in front of this host that would do the tracert on its behalf.

 

C:\Users\user>tracert 4.2.2.2

Tracing route to b.resolvers.level3.net [4.2.2.2]
over a maximum of 30 hops:

1 13 ms 13 ms 12 ms b.resolvers.level3.net [4.2.2.2]

Trace complete.

C:\Users\user>

 

When I do the above and capture traffic on my Check Point appliance which is the default gateway for this host it seems what really happens is only icmp ping's, not any TTL expired stuff that I am used to seeing.  (screen shot attached).

 

 

 

0 Kudos
4 Replies
Timothy_Hall
Champion
Champion

I'm assuming you captured on the internal interface of the Check Point facing the initiator of the tracert.  Is the initiator on the same subnet/VLAN as the internal interface on which you ran the capture?  A few things:

1) Not sure why both source and destination MAC addresses belong to Check Point, do you have more than one firewall?  This may indicate the firewall is doing something strange there, do you have the IPS Signature TTL Masking enabled?

2) If the capture is to be believed, the first tracert packet is being sent with a TTL of 127, but it really should be 1, then 2, etc.  If you install Wireshark on your Windows 10 box and you see the 127 TTL originating there that is the source of your problem.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Mike_Jensen
Advisor

Hello,

I took the first capture on the outside interface of the firewall, not the interface directly connected to the host.  Is that why the source and destination MAC's are both Check Point?  Frames received on one Check Point interface and out another.  This is ClusterXL HA of 2 firewalls.

 

I don't have TTL Masking enabled.

 

I ran Wireshark directly from the Windows 10 machine (screen shot attached) and the TTL is indeed starting at 128.

I have never seen this before.  This means that the Windows OS is not setting the correct TTL?

0 Kudos
Timothy_Hall
Champion
Champion

It looks like Windows 10 is the source of your problem, just tried the same traceroute from my Windows 10 box and it works as expected (capture below).  Perhaps try tracert -d -h 1 4.2.2.2 

tracert.png

It appears tracert sends a probe with a regular TTL first then starts at 1, perhaps your Windows tracert is never getting out of that probe mode because the echo reply is getting blocked or otherwise not making it back?  Very strange...

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
KG_Song
Explorer

Hello Mike,

Do you find the reason? 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events