Solved

Routing, Traceroute, who's up for a challenge?

Posted on 2004-04-16
10
305 Views
Last Modified: 2013-12-23
Let's say your internal subnet is 192.104.0.0, your default gateway to the Internet is 192.104.49.254. You seem to be able to run a trace to every other subnet in the world that allows it. In particular, 168.166.0.0, you can trace to 168.166.24.0. you can trace to every subnet on 168.166.0.0 but one. When you try and run a trace to 168.166.51.0, the response you get makes it appear that 168.166.51.0 is inside your network.  It never seems to hit our gateway 192.104.49.254.

example traceroute 168.166.24.65
replys                    192.104.49.254  which is what I expect, my gateway, the first hop.
                             208.46.83.62     gateway address on the router, this is good, and on to success.

problem child example traceroute 168.166.51.42        
replys                                         168.166.51.42  this is not good.
                                                  168.166.51.42 again
                                                  168.166.51.42 and again repeatedly until it hits 30 hops and stops.  

nslookup 168.166.51.42 returns a domain not found.
I can't ping 168.166.51.42, (destination net unreachable)  but I can ping the other 168.166.24.0.
I've examined the routing table on the servers and routers we control and find no trace of 168.166.51.42, or 168.166.51.0.  
Level 3 manages the router that connects us to the Internet.  They say that they can run a trace from the router to 168.166.51.42.  
I've added a static route to 168.166.51.42 on the gateway, still no luck.  
Who has suggestions on a cause and solution or troubleshooting tips?
0
Comment
Question by:mobot
  • 3
  • 3
  • 2
  • +1
10 Comments
 
LVL 61

Expert Comment

by:gheist
ID: 10847993
What is your router? It needs change not workstations.
What is your netmask(s) ???
addresses having first or last address in subnet may not be routed - look at google for smurf attacks description.
0
 
LVL 10

Expert Comment

by:Mercantilum
ID: 10849924
nslookup and ping are not useful anyway on the Internet (since many IP don't have the symetric reverse information and ping is blocked by most of the firewalls).

The problem is local.

Since 192.* and 168.* are far way, and not even in the same class this is really weird.

Some ideas (even if you checked already some points like routing tables) - as root - assuming you are not using IPv6:
- do a "netstat -r" and check the "default" again
- check your /etc/hosts file, and your named maps (grep) just in case...
   and localhost localhost.domain as well, are they primarily associated with IPv6 addresses?
- do a "ipchains -L" to check your internal firewall rules
- do a "arp -a" to check if for some reasons you could have this 168... IP linked to a mac addr
- check the router at 192.104.49.254 configuration, what is it by the way?
- just in case (hacking IP spoofing...) reset router, switch-hub(if any) and Linux NIC

Besides that check if you Linux box need some patches...

If none of this is successful please provide the output of the above commands.
0
 
LVL 10

Expert Comment

by:Mercantilum
ID: 10849935
Sorry Linux or Unix ... if this is not successful, please provide the output of the above command + router configuration.
0
 
LVL 61

Expert Comment

by:gheist
ID: 10850842
Let's say your internal subnet is 192.104.0.
Get off the internet, this is violation of RFC1918.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 10852393
from your machine where you used traceroute, please post IP, netmask, and result of: netstat -rn
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:mobot
ID: 10863564
This is IP4.
I searched for the string 168.166.51.42. The search came up with a hit in the file /proc/kcore. I've researched the file kcore and found out that it's a virtual file based on physical memory that holds an image of the kernel's memory.  That it's not viewable, and designed to be examined by a debugger, such as gdb.  At one point I did setup a route to that subnet, that I've since deleted. The server's been rebooted.  It didn't solve the problem.  I ran ifconfig -a to check out the interfaces, they look normal, correct ip address, subnet, broadcast, etc.

I'm asking how you start the gdb debugger and how do you exit from it, from the command line?  I'd like to examine this kcore file.  Any thoughts on the kernel maybe having a fragment of this address still stuck in it? A bit of kernel corruption perhaps?

Mercantilum - netstat -r command checks out ok.
                   - hosts file checks out ok.
                   - arp -a 168.166.51.42 command returns no match found.
                   - router is managed by our ISP, they tell me it's ok, they can ping from the
                     router to the subnet.
                   - reset NIC  I've rebooted the server, that should reset the nic.
                   - reset router I'm going to turn it off and on to reset it this evening.
                   - I can ping and trace the subnet from the gateway\firewall server.
                   - I cannot ping or trace from a workstation on our internal subnet.

gheist - the router has been checked and appears to be working correctly.  I'm having trouble with one segment of the subnet 168.166.0.0, I can get to 168.166.24.0.  Both 168.166.51.42 and 168.166.24.66 are part of the same network within one business.
I think you've misread what I wrote, 192.104.0.0 is a violation of RFC1918 if used externally, or on the Internet. In this case this is an internal subnet.  You sound stressed, amigo.
0
 
LVL 10

Accepted Solution

by:
Mercantilum earned 500 total points
ID: 10863693
192.104.0.0/16  is a public network.
192.168.0.0/16  is private and should not be used externally.

At this points, what can we do... I remember some problems with traceroute on solaris, maybe you can get a newer version, just in case.

Anyway, try this: get Ethereal, free network analyzer, http://www.ethereal.com/
Start the capture and look what happens exactly when you do traceroute.
You will see all packets, outgoing and incoming.
So, we'll know if your box get any answer from "somebody" else...
0
 
LVL 61

Expert Comment

by:gheist
ID: 10863730
No wonder your search string was in memory image....(where else ???)

problem child example traceroute 168.166.51.42        
replys                                         168.166.51.42  this is not good.
                                                  168.166.51.42 again
                                                  168.166.51.42 and again repeatedly until it hits 30 hops and stops.  

it looks like your ping is routed via this address, and router at this address has some problem that it routes traffic it need to pass to own loopback (standard routing table loaded or so)
most likely it is already unreachable or overloaded at least due to wrong routes, so it needs to be attended by techie equipped with serial cable.... :-)

Diagnostics usually are performed by telnetting to routers and pinging next hop and past next hop to see where it breaks, best from both ends !!!!

whois lookup says you need to make a call to helpdesk about the problem.

0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 10864216
please post facts, better than long descriptions ;-)
Please post IP, netmask, and result of: netstat -rn
0
 

Author Comment

by:mobot
ID: 10872005
Problem resolved. Firewall object was setup incorrectly. Deleted objected, can now traceroute and ping.
Thanks to all for your suggestions.
Mercantilum - Ethereal led to mac address on firewall, which led to firewall object that I deleted.
ahoffman - i'll try to keep it short in the future.
gheist - i stand corrrected on 192.104, your right, I was wrong.



0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now