[j-nsp] Difficulty with traceroute and stateful-firewall
services...
Erik Haagsman
erik at we-dare.net
Mon Apr 11 12:02:51 EDT 2005
Without seeing the actual firewall rules it's hard to say anything
useful about this, are you blocking/filtering any UDP ports that might
prevent a normal traceroute...?
On Mon, 2005-04-11 at 10:00 -0600, Michael Loftis wrote:
> I can't seem to quite get traceroute to work right with the Juni FW
> services...
>
> traces all end up sort of like this (i redacted the router and nearest IP,
> sorry):
>
> root at host # traceroute www.google.com
> traceroute: Warning: www.google.com has multiple addresses; using
> 66.102.7.147
> traceroute to www.l.google.com (66.102.7.147), 30 hops max, 38 byte packets
> 1 rtr (<rtr ip>) 1.316 ms 1.173 ms 1.161 ms
> 2 * * *
> 3 * * *
> 4 * * *
> 5 ra1so-ge3-2-11.cg.bigpipeinc.com (66.244.207.237) 32.146 ms 30.794 ms
> 32.069 ms
> 6 rc1so-ge9-6.cg.shawcable.net (66.163.71.141) 32.092 ms 31.429 ms
> 31.327 ms
> 7 rc1wh-pos12-0.vc.shawcable.net (66.163.76.10) 32.584 ms 31.686 ms
> 31.577 ms
> 8 rc2wt-pos2-0.wa.shawcable.net (66.163.76.37) 31.459 ms 32.055 ms
> 31.973 ms
> 9 rc1sj-pos2-0.cl.shawcable.net (66.163.76.142) 55.037 ms 55.535 ms
> 55.063 ms
> 10 * * *
> 11 66.249.94.2 (66.249.94.2) 52.365 ms 52.758 ms 52.063 ms
> 12 64.233.174.54 (64.233.174.54) 53.077 ms 52.543 ms 53.316 ms
> 13 216.239.49.154 (216.239.49.154) 54.950 ms 58.735 ms 54.432 ms
> 14 * * *
> ...
>
> etc....traceroutes with the stateful firewall turned down/off are fine.
>
> any clues?
>
>
> --
> GPG/PGP --> 0xE736BD7E 5144 6A2D 977A 6651 DFBE 1462 E351 88B9 E736 BD7E
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
--
---
Erik Haagsman
Network Architect
We Dare BV
Tel: +31(0)10-7507008
Fax: +31(0)10-7507005
http://www.we-dare.nl
More information about the juniper-nsp
mailing list