FAQ-How to show the concealed routes when you are doing tracert to USG5500

Publication Date:  2015-10-30 Views:  294 Downloads:  0
Issue Description

When doing the tracert and the packets travel though the firewall ,we cannot see the detailed hops and it shows as "stars" instead,

here is the topology ,when we ping from Client 1 to Client 2 ,it shows like this :

 

PC>tracert 192.168.20.10

traceroute to 192.168.20.10, 8 hops max

(ICMP), press Ctrl+C to stop

1  192.168.10.1   16 ms  62 ms  47 ms

2    *  *  *                   (this hop stands for  firewall )

3  20.20.20.2   156 ms  78 ms  94 ms

4  192.168.20.10   109 ms  47 ms  62 ms

Solution

After adding the following commands and we can see the detailed hops:

[SRG]ip ttl-expires enable

[SRG]ip unreachables enable

 [SRG]undo  firewall defend tracert enable

 

Test result shown here :

PC>tracert 192.168.20.10

traceroute to 192.168.20.10, 8 hops max

(ICMP), press Ctrl+C to stop

1  192.168.10.1   62 ms  31 ms  32 ms

2  10.10.10.1   62 ms  47 ms  47 ms

3  20.20.20.2   78 ms  78 ms  63 ms

4  192.168.20.10   31 ms  47 ms  62 ms

By default an interface doesn't reply with an ICMP Time Exceeded message after it receives a message with TTL 1 , we need enable the sending of ICMP destination unreachable packets and  the ICMP timeout packets  with both commands.

END