Solved

Cisco Traceroute returning unexpected IP source

Posted on 2013-11-14
6
608 Views
Last Modified: 2013-11-25
Hi i just wanted to clear up some confusion. I have the following setup in GNS3:

Diagram
Loopback interface off of R4 has two paths to loop back interface on router 1. Source 5.5.5.1 destination 65.0.0.1.

When i setup a traceroute with ONE probe count to 65.0.0.1 from interface lo1 on R4 it returns the following:
 1 4.4.4.1 28 msec
  2 1.1.1.1 52 msec

I understand why 4.4.4.1 would be returned but not sure why 1.1.1.1 is returned for the following hop? I would expect 2.2.2.1? Is R1 load balancing in reverse? I tried changing bandwidth on fa0/0 and fa0/1 on R1 so that fa0/1 is preferred.

Also when i issue the command where it sends 3 probes instead of one i get the following:

  1 4.4.4.1 28 msec
    3.3.3.1 28 msec
    4.4.4.1 20 msec
  2 1.1.1.1 48 msec
    2.2.2.1 48 msec
    1.1.1.1 36 msec

I believe traceroute is sending out multiple icmp ping paths due to multiple route paths in FIB. I am pretty sure that in the following 1a is the first hop and 2a is the second hop? Then 1b was second alternative path first hop and 2b is the second alternate path second hop? But again they return the opposite of what i would expect in both cases on the second hop?

 1 a.4.4.4.1 28 msec
    b. 3.3.3.1 28 msec
    c. 4.4.4.1 20 msec
  2 a. 1.1.1.1 48 msec
    b. 2.2.2.1 48 msec
    c. 1.1.1.1 36 msec

Thank you!
Cory
0
Comment
Question by:Psy4HA
  • 5
6 Comments
 

Author Comment

by:Psy4HA
ID: 39650042
Also, i did a debug ip packet and it seems the the icmp/trace packet route is coming back on the same link it came in but is just sourcing another interfaces ip address on the return?

in this example i pinged from 65.0.0.1 to 5.5.5.1 and got:
 1 2.2.2.2 24 msec
  2 3.3.3.2 48 msec

here is debug packet from r4:

*Mar  1 01:19:12.823: IP: s=2.2.2.1 (FastEthernet0/1), d=5.5.5.1, len 28, rcvd 0
*Mar  1 01:19:12.827:     UDP src=49232, dst=33435
*Mar  1 01:19:12.827: IP: tableid=0, s=3.3.3.2 (local), d=2.2.2.1 (FastEthernet0/0), routed via FIB
*Mar  1 01:19:12.831: IP: s=3.3.3.2 (local), d=2.2.2.1 (FastEthernet0/0), len 56, sending
*Mar  1 01:19:12.839:     ICMP type=3, code=3
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39650056
Do you have multiple default routes in any of the routers?
0
 

Author Comment

by:Psy4HA
ID: 39650063
None of the routers have any manual routes set. All using eigrp.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:Psy4HA
ID: 39650066
here's r4 route table:
Gateway of last resort is not set

     1.0.0.0/24 is subnetted, 1 subnets
D       1.1.1.0 [90/307200] via 3.3.3.1, 00:28:37, FastEthernet0/1
     2.0.0.0/24 is subnetted, 1 subnets
D       2.2.2.0 [90/307200] via 4.4.4.1, 00:32:39, FastEthernet0/0
     3.0.0.0/24 is subnetted, 1 subnets
C       3.3.3.0 is directly connected, FastEthernet0/1
     4.0.0.0/24 is subnetted, 1 subnets
C       4.4.4.0 is directly connected, FastEthernet0/0
     65.0.0.0/24 is subnetted, 1 subnets
D       65.0.0.0 [90/435200] via 4.4.4.1, 00:32:39, FastEthernet0/0
                 [90/435200] via 3.3.3.1, 00:32:41, FastEthernet0/1
     5.0.0.0/24 is subnetted, 1 subnets
C       5.5.5.0 is directly connected, Loopback1



AND R1:
Gateway of last resort is not set

     1.0.0.0/24 is subnetted, 1 subnets
C       1.1.1.0 is directly connected, FastEthernet0/0
     2.0.0.0/24 is subnetted, 1 subnets
C       2.2.2.0 is directly connected, FastEthernet0/1
     3.0.0.0/24 is subnetted, 1 subnets
D       3.3.3.0 [90/307200] via 1.1.1.2, 00:28:55, FastEthernet0/0
     4.0.0.0/24 is subnetted, 1 subnets
D       4.4.4.0 [90/307200] via 2.2.2.2, 00:28:55, FastEthernet0/1
     65.0.0.0/24 is subnetted, 1 subnets
C       65.0.0.0 is directly connected, Loopback1
     5.0.0.0/24 is subnetted, 1 subnets
D       5.5.5.0 [90/435200] via 2.2.2.2, 00:28:56, FastEthernet0/1
                [90/435200] via 1.1.1.2, 00:28:56, FastEthernet0/0
0
 

Accepted Solution

by:
Psy4HA earned 0 total points
ID: 39664489
I understand now. read a good article about traceroute and how it works. It was sending 3 probes with ttl of 1. each time it went a different direction. Then on next hop sets ttl2 to and sends 3 probles,

http://blog.ine.com/2013/09/06/modifying-traceroute-replies/
0
 

Author Closing Comment

by:Psy4HA
ID: 39674168
Article answers the question.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

This article is a step by step guide on how to create a basic PTP link using Ubiquiti airOS devices. This guide can be used on the following Ubiquiti AirMAX devices. Nanostation, Bullets, AirBridge, Nanobeam, NanoBridge to name a few. Please review …
If you are thinking of adopting cloud services, or just curious as to what ‘the cloud’ can offer then the leader according to Gartner for Infrastructure as a Service (IaaS) is Amazon Web Services (AWS).  When I started using AWS I was completely new…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now