MSU Listserv

Since I have been dealing with traceroute for the last couple days,
I thought it would be worth providing an update to this group.

If you do a traceroute from an off-campus source to an on-campus server
or other computer system with a static IP address, you may see several
lines of asterisks before the traceroute completes.  Also, the
traceroute may never complete if the target system is firewalled
(see note #2 below).

Here is an example, targeting one of the campus name servers from
off campus:

  traceroute to serv3.acns.msu.edu (35.8.98.43), 64 hops max, 72 byte packets
   1  robert-vlan503.aset.psu.edu (128.118.1.177)  0.589 ms  0.240 ms  0.210 ms
   2  192.168.1.149 (192.168.1.149)  0.521 ms  0.383 ms  0.364 ms
   3  172.30.255.62 (172.30.255.62)  0.524 ms  0.383 ms  0.365 ms
   4  147.73.1.32 (147.73.1.32)  4.733 ms  4.282 ms  4.211 ms
   5  wash-psc10G.layer3.nlr.net (192.88.115.165)  9.727 ms  9.592 ms  9.569 ms
   6  chic-wash-59.layer3.nlr.net (216.24.186.18)  27.512 ms  26.340 ms  26.217 ms
   7  ge-0-2-0x2087.aa1.mich.net (192.122.183.181)  28.136 ms  101.786 ms  28.541 ms
   8  tenge0-0-0-0x9.aa2.mich.net (198.108.22.185)  28.136 ms  28.082 ms
      tenge0-0-0-0x25.aa2.mich.net (198.108.22.148)  28.291 ms
   9  198.108.23.54 (198.108.23.54)  29.556 ms  30.067 ms  29.703 ms
  10  192.122.183.227 (192.122.183.227)  34.686 ms  39.852 ms  39.834 ms
  11  cc-t1-ge1-23.net.msu.edu (35.9.101.209)  40.147 ms  39.075 ms  39.991 ms
  12  * * *
  13  * * *
  14  serv3.cl.msu.edu (35.8.98.43)  30.374 ms  30.341 ms  30.323 ms

This will happen if the target system has a 35.8.x.x IP address.  At this
time, this behavior is NOT present if the target system has a 35.9.x.x IP
address.

This is an expected behavior, given our current implementation of campus
border routing and its integration with the border IPS systems.  We have
not identified any reasonable way of improving this situation at the
present time, so this should be considered the expected response for a
traceroute.

Note that the IP ranges which show this behavior may change, if we
need to rebalance the Internet traffic load across our IPS systems.

Other notes:

1.  Ping and traceroute from off-campus to DHCP (wired or wireless)
addresses will always fail beyond the campus border.  This includes
IPs in the 35.10.x.x, 35.11.x.x, 35.13.x.x, and 35.14.x.x ranges.
This is because the border firewall systems enforce the policy 
disallowing any inbound connections to DHCP wired or wireless systems.

2.  If the target system is firewalled, either via a physical firewall
or a software firewall, traceroute may never complete (lines of 
asterisks forever).  If you want to allow traceroute to complete
successfully, you should modify your firewalls to do one or both of
the following:

   a.  For "ping" and ICMP-based traceroute (e.g. Windows "tracert"),
   permit incoming ICMP Echo Request packets, and outgoing ICMP Echo
   Reply packets.

   b.  For UDP-based traceroute (UNIX default), permit incoming UDP
   packets with destination ports 33434 to 33534, and permit outgoing
   ICMP port unreachable packets (ICMP type 3).

Doug



On Wed, Jan 21, 2009 at 04:43:09PM -0500, Kramer, Jack wrote:

> Bingo - we had this problem with some emails a while ago and if you ran a traceroute from the originating mail server to our mailservers, it turned out that they were never making it past the IPS on the campus border.
> 
> In fact, I have an open helpdesk ticket now regarding that, though no one seems to be working on it...
> ----
> Jack Kramer
> Computer Systems Specialist
> University Relations, Michigan State University
> 517-884-1231

-- 


Doug Nelson, Network Manager	 |  [log in to unmask]
Academic Technology Services	 |  Ph: (517) 353-2980
Michigan State University	 |  http://www.msu.edu/~nelson/