Home » Cisco, Routing & Switching, Technology

Traceroute: When Things Go Wrong

Author: Al Friebe 9 February 2011 3,097 views One Comment
Tags: , , ,

So, what can go wrong while doing a trace, and what would we see if it did? Sometimes you’ll see an asterisk (*) appear in the display. This happens when the host doing the trace does not receive a reply to a probe packet in a timely fashion (typically two seconds, but you can generally specify the timeout). Suppose that your trace shows the first hop router (default gateway), and then it stops, something like this:

H1#trace ip 9.9.9.9

Type escape sequence to abort.

Tracing the route to 9.9.9.9

1 R1 (1.1.1.1)  1 msec  2 msec  1 msec

2 R1 (1.1.1.1)  !H  * !H

The “!H” is how a Cisco displays receipt of an ICMP “Host Unreachable” or “Network Unreachable” message, and it indicates that the first hop router doesn’t have a route to the target (MS Windows indicates this with “Destination host unreachable”). Possibilities include mistyping the target’s address, or problems with the routing protocol.

Another thing you might see is a trace working all the way to the last router (the target host’s default gateway), with asterisks beyond that until the maximum attempted hop count (typically thirty) is reached, like this:

H1#trace 4.4.4.9

Type escape sequence to abort.

Tracing the route to 4.4.4.9

1 R1 (1.1.1.1) 0 msec 4 msec 0 msec

2 R2 (2.2.2.2) 0 msec 4 msec 0 msec

3 R3 (3.3.3.3) 0 msec 4 msec 4 msec

4  *  *  *

{hops 5 through 29 appear here}

30  *  *  *

This likely indicates that the target host’s subnet exists, but the actual host does not (either there’s a typo in the IP address, or the host is turned off or otherwise unreachable). To abort a “trace to infinity” on a Cisco you do <CTRL><SHIFT><6>, and on a Microsoft host it’s <CTRL><C>.

Sometimes you’ll see a trace in which things work okay up to a point, and then it turns to asterisks. Assuming that routing is working correctly, it could be that either the probe packets or the returning ICMP “TTL Exceeded” message (TEM) packets are being filtered by a router or firewall access control list (ACL).

What if the trace shows things working fine up to a point, then one or more hops are asterisks, and then the trace shows the routers after that, like this?

H1#trace 6.6.6.6

Type escape sequence to abort.

Tracing the route to 6.6.6.6

1 R1 (1.1.1.1) 0 msec 4 msec 0 msec

2 R2 (2.2.2.2) 0 msec 4 msec 0 msec

3  *  *  *

4  *  *  *

5 R5 (5.5.5.5) 2 msec 5 msec 3 msec

6 H3 (6.6.6.6) 4 msec 5 msec 5 msec

What’s likely going on here is that R3 and R4 (at the asterisk hops) are not sending TEM packets when they discard the probes. This is permissible per RFC 1812 section 5.2.7.3, which says “A router MUST generate a Time Exceeded message Code 0 (In Transit) when it discards a packet due to an expired TTL field.  A router MAY have a per-interface option to disable origination of these messages on that interface, but that option MUST default to allowing the messages to be originated.” This might be done to hide an internetwork’s addressing scheme and topology.

Yet another possibility is that you’re tracing through an MPLS cloud, and you can see what’s on your side of the MPLS cloud up to the provider’s edge routers, and you can see the routers on the other side of the MPLS cloud, but the provider’s core routers don’t appear to exist. This could be the result of the provider has disabling “TTL Propagation” within the MPLS cloud.

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...Loading...

One Comment »

  • Francis said:

    Thanks for the information.. !!!! Traceroute also helps when redistributing between protocols , if its mutual and there is a loop happend , we can use the same traceroute to find out the problem

Leave your response!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

This is a Gravatar-enabled weblog. To get your own globally-recognized-avatar, please register at Gravatar.