A Tracert Error Occurs When the AR Router Discards the ICMP Packets with the TTL Value of 1 By Default

Publication Date:  2015-10-14 Views:  795 Downloads:  0
Issue Description
As shown in Figure 1-1, R1 and R2 are AR routers, R3 is a NE20E router, and R4 a NE40E router. A loopback interface is established on both R2 and R4 to simulate a terminal network segment connected to the two AR routers. Dynamic routing protocols run on the entire network. Traffic is transmitted along the path of R4-R3-R1-R2 by modifying the cost value. It is required that loopback interfaces of R2 and R4 communicate with each other, and traffic be transmitted along the designed path: R4-R3-R1-R2 or R2-R1-R3-R4.

R4 can use the loopback address as the source address to ping the loopback address of R2. However, during a tracert operation, the tracert packet can only reach R1. R2 does not respond, and the message "* * *" is displayed on R2. R2 can also use the loopback address as the source address to ping the loopback address of R4.

Figure 1-1 Networking diagram 

Handling Process
Step 1 Check the routing and forwarding entries.

RIPv2 and OSPF are respectively used on the network, and the same results are obtained. A hop-by-hop check was carried out on the routes with the destination as the loopback addresses of R4 and R2. The check result shows that the routes are implemented as designed. This indicates that the routing and forwarding entries function normally.

Step 2 Start the tracert operation on R3.

Each time the tracert command is executed, R1 displays normally while R2 displays "* * *". To check whether a fault occurs each time the tracert packet passes through R1, start the tracert operation on R3, with the loopback address of R2 still as the destination address.

The test result is the same: R1 displays normally while R2 displays "* * *". Therefore, R4 is excluded from suspected faulty points, and the fault occurs on R1.

Step 3 Run the display traffic policy statistics interface interface-type interface-number { inbound | outbound } command on both R1 and R2 to collect traffic statistics on their connected interfaces.

Interface interface-type interface-number specifies the interface that connects the two routers, inbound specifies that statistics of incoming traffic are collected on the interface, and outbound specifies that statistics of outgoing traffic are collected. The final result is as follows:

R1: The outgoing traffic count on the interface connected to R2 is normal, while the incoming traffic count on the same interface is 0.

R2: The incoming traffic count on the interface connected to R1 is normal, while the outgoing traffic count on the same interface is 0.

Conclusion: R1forwards packets to R2 normally, but R2 fails to respond.
Root Cause
To prevent TTL attacks, the AR router, by default, does not process the ICMP packets with the TTL value of 1. ICMP packets are protocol packets which need to be sent to the CPU for processing. If there are a large number of ICMP packets, the processing performance of the device will be affected.

Tracert packets are ICMP packets with the TTL value of 1. When such tracert packets reach R2, R2 discards the packets and does not respond, thereby leading to a tracert error.
Solution
Run the icmp port-unreachable send command in the system view of R2 to enable the device to send ICMP Port Unreachable packets.
Suggestions
To enable an AR router to respond normally to tracert packets, run the icmp port-unreachable send command in the system view to enable the router to send ICMP Port Unreachable packets.

Both the tracert command and ping command containing the specified -r parameter return information about nodes between the source device and the destination host. The major differences between the two commands are as follows:
  • When the ping test times out on one of the intermediate nodes, a ping test timeout message is returned, containing no path information.
  • When the tracert test times out on one of the intermediate nodes, the message "* * *" is displayed on the node. The entire tracert operation is not affected.

END