The Tracert to the NAT Server Global Address Failed Because the Route to the Global Address Was Not Added

Publication Date:  2015-07-03 Views:  268 Downloads:  0
Issue Description
Networking:

Figure 4-11 Networking diagram



Symptom:

NAT server was configured on the firewall the map a public address to an internal server. The ping from the PC to the NAT server global address succeeded, but the tracert failed, with one destination unreachable.

Figure 4-12 Tracert destination host unreachable


Handling Process
1. The Ping succeeded, indicating that the routing and packet filtering were normal. During the ping operation, the sessions on the firewall were normal and the global address was translated to a private address. However, during the tracert operation, no session was found.

2. The packets captured on the client indicated that the firewall returned a destination unreachable message, but the reason was not determined. Normally, the reason should be TTL expiration.

3. The debugging output on the firewall indicated that the firewall sent a TTL expiration message.


Current Show sessions count: 1
    Protocol(ICMP) SourceIp(10.122.131.3) DestinationIp(10.151.226.6)   
SourcePort(2048) DestinationPort(2048) VpnIndex(public)   
           Receive           Forward           Discard   
Obverse : 1          pkt(s) 0          pkt(s) 1          pkt(s)   
Reverse : 0          pkt(s) 0          pkt(s) 0          pkt(s)
    Discard detail information:
  DP_FW_L3Distribute            :exit 16:     1-----Packet is discarded, and a TTL expiration message must be sent.

0.7422383 shengzhan-USG-1 %%01IP/7/debug_case(d): 
Receiving, interface = GigabitEthernet0/0/1, version = 4, headlen = 20, tos = 0, 
pktlen = 92, pktid = 62450, offset = 0, ttl = 1, protocol = 1, 
checksum = 19348, s = 10.122.131.3, d = 10.151.226.6
prompt: Receiving IP packet from GigabitEthernet0/0/1------Tracert packet received.

0.7422766 shengzhan-USG-1 %%01IP/7/debug_case(d): 
Discarding, interface = GigabitEthernet0/0/1, version = 4, headlen = 20, tos = 0, 
pktlen = 92, pktid = 62450, offset = 0, ttl = 1, protocol = 1, 
checksum = 19348, s = 10.122.131.3, d = 10.151.226.6
prompt: Destination is unreachable!---Destination address unreachable message is generated. 

0.7423133 shengzhan-USG-1 %%01IP/7/debug_case(d): 
Sending, interface = GigabitEthernet0/0/1, version = 4, headlen = 20, tos = 0, 
pktlen = 56, pktid = 44120, offset = 0, ttl = 255, protocol = 1, 
checksum = 18603, s = 10.56.47.12, d = 10.122.131.3
prompt: Sending the packet from local at GigabitEthernet0/0/1----The destination unreachable message is sent. 


4. However, the destination address of the message was the global address of the NAT server. The VRP plane was unable to find a route and returned a TTL expiration message. If a default route to the global address was added, the VRP plane was able to forward the TTL expiration messages.
Root Cause
The data plane sent TTL expiration messages to the VRP plane. However, destination NAT was not configured for the messages. Therefore, the destination addresses of the messages were the global address of the NAT server. The VRP plane was unable to find a route and returned a TTL expiration message. If a default route to the global address was added, the VRP plane was able to forward the TTL expiration messages. 
Solution
Add a route to the global address. 

END