AIX ping is working, but traceroute is timing out

Hello,

I can ping servers, but for some of the servers, when I do traceroute timing out. Any reason?  Router is dropping the packet?
mokkanAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David SankovskySenior SysAdminCommented:
It's very possible the some of the hops are configured to deny ICMP requests.
Ping only checks the last station not all the station that's on the way.
mokkanAuthor Commented:
Thank you very much. It means as long as Destination host is not denying the ICMP request, but some where in the middle packets are blocking?
David SankovskySenior SysAdminCommented:
indeed.

Each server along the route can either accept or block ping requests (Also known as ICMP requests).
to make sure, take one of the IPs your trace shows as a time out and ping it directly - you should get the same response.

I hope that helps :)
Learn Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

woolmilkporcCommented:
AIX traceroute sends UDP probes and listens to ICMP responses.

Do you get any output from traceroute? How far does it get? The next hop after the last displayed hop is probably blocking the required UDP ports (see below), or it does not send ICMP replies.

Try adding the "-v" flag to make traceroute accept (and display) all responses, not only TIME_EXCEEDED and PORT_UNREACHABLE.

Or do you see nothing at all? In this case I'd assume that there is a firewall between you and the first hop.

traceroute depends on a reachable UDP port range of base (default 33434)  to (base + nhops - 1) at the destination host.

You can change the base with "-p new_base_port" in order to try another (maybe open) UDP port range.

Last option: You can try a different type of service ("-t" flag).

Afaik the only useful types are "-t 16" (low delay) and  "-t 8" (high throughput)
mokkanAuthor Commented:
Thank you very much guys.  Here is the output

# traceroute  -v 10.23.23.78
trying to get source for 10.23.23.78
source should be 10.23.23.50
traceroute to 10.23.23.78 (10.23.23.78) from 10.68.11.129 (10.68.11.129), 30 hops max
EMSGSIZE 32768
EMSGSIZE 32748
EMSGSIZE 17914
EMSGSIZE 17894
EMSGSIZE 16384
EMSGSIZE 16364
EMSGSIZE 8166
EMSGSIZE 8146
EMSGSIZE 4464
EMSGSIZE 4444
EMSGSIZE 4352
EMSGSIZE 4332
EMSGSIZE 2048
EMSGSIZE 2028
EMSGSIZE 2002
EMSGSIZE 1982
EMSGSIZE 1536
EMSGSIZE 1516
outgoing MTU = 1500
 1  * *
David SankovskySenior SysAdminCommented:
Well Both networks are on the 10.0.0.0\8 Segment - which means they are both internal.
I assume that these are two subnets in your company or one of them is your company and the other is another company which you access using IPSec VPN.

My question is, if you know you have ping to the end point, why do you need to check ping to mid-way hops?
In any case, if you really need to to have ICMP reponse from each and every server along the way, make sure that the server itself is configured not to deny ICMP requests and if it sits behind a firewall, make sure you have a rule that allows ICMP packets from 10.23.23.78 (or 10.23.23.0\24 or whatever your segment is) to the target machine.
woolmilkporcCommented:
If source and target are indeed in the same subnet try adding the  "-r" option:

traceroute -r -v 10.23.23.78

This bypasses the routing tables. It could be that your interface is not registered in the routing tables or blocked.
Are you able to reach any outside network at all?
David SankovskySenior SysAdminCommented:
woolmilkporc2015-06-18 at 07:52:11ID: 40837200
If source and target are indeed in the same subnet try adding the  "-r" option:

traceroute -r -v 10.23.23.78

This bypasses the routing tables. It could be that your interface is not registered in the routing tables or blocked.
Are you able to reach any outside network at all?

It's the same subnet by definition, the 10.0.0.0\8 is an internal subnet by definition, it can only be used in LANs.
Since the 2nd octate is different the company would need to configure it's network with a \8 subnet which a really bad practice - it's possible but highly not recommended. They could configure several \16 or better yet several \24 subnets - but then the sysadmin will have to make sure that they are configures properly to talk to each other.
woolmilkporcCommented:
Seems there is a second (real or virtual) NIC in your machine, owning the address 10.68.11.129.

For some reason traceroute advertises this address 10.68.11.129 as the destination for the ICMP replies while using 10.23.23.50 as the source address.
Please have a look at the routing table (netstat -r). Anything suspicious there?

Anyway, you can force traceroute to use a given address (which must be one of the machine's addresses, of course).
Not sure if this will really help, but please try:

netstat -v -s 10.23.23.50 10.23.23.78

@David Sankovsky: Who told you that the CIDR mask is "/8" ?
David SankovskySenior SysAdminCommented:
10.0.0.0\8 is a known Netowrk.
Basically any IP address beginning with 10 in the First octate can only be a LAN address. weather you configure it as a \8, a \16 or a \24 network doesn't change that,

https://en.wikipedia.org/wiki/Private_network#Private_IPv4_address_spaces
woolmilkporcCommented:
LAN or not, well known or not, you just can't know which CIDR mask is in use. The times of classful networks are long gone.
David SankovskySenior SysAdminCommented:
Quite True, but most companies still use \16 and \24 networks as they are easy to manage.

But let us not use this question to argue between ourselves and endeavor instead to help the original poster.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Unix OS

From novice to tech pro — start learning today.