This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Timothy_Hall
MVP Gold
MVP Gold
‎2026-01-10 07:39 AM

asg_tracert

At one point, it was recommended on Scalable Platforms to always use asg_tracert instead of the native tracert/traceroute tools to ensure accurate results.  Is this still the case in Maestro?  Are the native traceroute/tracert tools just links to asg_tracert on those platforms?  I don't have an active Maestro system readily available to check this.  Thanks!

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
14 Replies
Lesley
MVP Gold
MVP Gold
‎2026-01-10 08:45 AM

The 82 Maestro admin guide still shows below comment so it is still a relevant command to use.

The native Linux "tracert" utility cannot handle the "tracert" pings correctly because of the stickiness mechanism used in the Security Group Firewall.

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2026-01-11 07:01 AM
In response to Lesley

Does this apply to the traceroute command as well, which uses UDP datagrams instead of tracert, which uses ICMP echo requests for probes?

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
the_rock
MVP Diamond
MVP Diamond
‎2026-01-11 02:02 PM
In response to Timothy_Hall

Seems like it. From the guide:

 

Traceroute (asg_tracert)

Description

Use the "asg_tracert" command in Gaia gClish or the Expert mode to show correct tracert results on the Security Group.

The native "tracert" cannot handle the "tracert" pings correctly because of the stickiness mechanism used in the Security Group Firewall.

The "asg_tracert" command supports all native options and parameters of the tracert command.

Best,
Andy
0 Kudos
Lesley
MVP Gold
MVP Gold
‎2026-01-13 10:19 AM
In response to Timothy_Hall

If you want i can run some commands for you on Maestro just PM me what you want me to test

-------
Please press "Accept as Solution" if my post solved it 🙂
Bob_Zimmerman
MVP Gold
MVP Gold
‎2026-01-13 02:01 PM

asg_tracert is a lot slower, but seems to produce more consistent output:

[Expert@DallasticXL-s01-02:0]# time traceroute -n 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 40 byte packets
 1  10.0.1.1  2.704 ms  2.580 ms  2.504 ms
 2  w.x.y.z  33.097 ms  32.992 ms  33.100 ms
 3  184.19.247.176  33.266 ms 184.19.247.178  33.143 ms 184.19.247.176  33.269 ms
 4  74.40.10.208  34.011 ms  34.291 ms  34.590 ms
 5  74.40.10.110  34.145 ms  33.834 ms  33.989 ms
 6  45.52.201.127  37.234 ms  34.560 ms  34.311 ms
 7  * 141.101.74.63  34.983 ms 141.101.74.207  35.792 ms
 8  141.101.74.53  35.982 ms 1.1.1.1  35.249 ms 141.101.74.195  35.816 ms

real	0m5.010s
user	0m0.000s
sys	0m0.004s
[Expert@DallasticXL-s01-02:0]# time asg_tracert -n 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 40 byte packets
 1  10.0.1.1  1.482 ms  0.679 ms  0.623 ms
 2  w.x.y.z  3.919 ms  1.782 ms  2.858 ms
 3  184.19.247.176  2.829 ms  2.158 ms  2.412 ms
 4  74.40.10.208  3.598 ms  3.267 ms  2.967 ms
 5  45.52.201.125  29.442 ms  3.317 ms  3.996 ms
 6  * 74.43.94.161  17.415 ms  10.169 ms
 7  141.101.74.65  3.674 ms  49.604 ms  3.658 ms
 8  1.1.1.1  3.394 ms  3.312 ms  3.433 ms

real	0m12.507s
user	0m0.003s
sys	0m0.008s

 

Gennady
Contributor
‎2026-01-13 11:26 PM

Good day!

Out of curiosity I decided to check what asg_tracert is. "whereis asg_tracert" returns "/opt/CPsmo-R81.20/bin/asg_tracert"

"less /opt/CPsmo-R81.20/bin/asg_tracert" reviels that the asg script contains only one command call: "tracert -z 500 $@"

Then we can compare md5sum for @"/usr/bin/traceroute" and "/usr/bin/tracert" and result is the same!

-z is "sendwait" which explains why asg_tracert works slower

.2026-01-14 102311.png

2026-01-14 102355.png

0 Kudos
Lari_Luoma
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
2 weeks ago

Hi Tim,
Honestly, I have never used asg_tracert command. 🙂

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
2 weeks ago
In response to Lari_Luoma

Thanks Lari, I was trying to figure out if asg_tracert was just a relic left over from the Scalable Platform Chassis days or if it still applied in Maestro.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Lari_Luoma
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
2 weeks ago
In response to Timothy_Hall

@Timothy_Hall I made some investigations. Here is what I found.

Maestro has three tools for traceroute.

  • traceroute – Standard Linux traceroute using UDP. Runs on the local SGM where you execute it.
  • tracert – Windows‑style traceroute using ICMP. Also runs locally on the SGM.
  • asg_tracert – Uses ICMP, but runs on the Flow Owner (FO) for the destination, not necessarily the SGM you’re logged into. You can confirm the FO with dxl calc.

tracert.png

0 Kudos
Lari_Luoma
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
2 weeks ago
In response to Lari_Luoma

See how asg_tracert and tracert have different results? If I go to the flow owner (SGM 2 in my case() and run tracert, the result is the same as for asg_tracert from SGM1.
tracert2.png

 

 

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
2 weeks ago
In response to Lari_Luoma

Got it, thanks Lari.  So, if I am not using asg_tracert, will the return traffic actually come back to the flow owner, and then be corrected to the SGM I actually ran the tracert/traceroute from?  I assume the correction does not touch the TTL and thus would not be shown in the tracert/traceroute output? 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Lari_Luoma
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
a week ago
In response to Timothy_Hall

Yes, that's my understanding. How the correction shows is that some responses are missing in tracert and traceroute outputs when run from the SMO. It's expected that there are more packets missing with ICMP. If I run tracert from the flow owner, there won't be any drops and it looks the same as asg_tracert. UDP and ICMP also behave differently as traceroute only lost one packet.

0 Kudos
WiliRGasparetto
MVP
MVP
2 weeks ago

Good evening, Tim. I have a lab environment set up here at NTSEC’s SKO with a Maestro cluster. I’m going to run some tests and analyze the behavior, and then I’ll get back to you with my findings and perspective on the topic.

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
2 weeks ago
In response to WiliRGasparetto

That would be great, thanks.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events