Traceroute From Appliance Shows Only the Address Being Traced and Not Routers
03/26/2020 4 12034
DESCRIPTION: Traceroute From Appliance Shows Only the Address Being Traced and Not Routers
It was noticed that while running a traceroute from an EX SSL-VPN appliance to a server, traceroute showed the hops with the destination address as shown below:
aventailnodeA:~# traceroute kaveri.everest.com traceroute to kaveri.everest.com (10.2.2.21), 30 hops max, 38 byte packets 1 10.2.2.21 (10.2.2.21) 8.659 ms 1.717 ms 2.103 ms 2 10.2.2.21 (10.2.2.21) 0.468 ms 0.295 ms 0.304 ms 3 10.2.2.21 (10.2.2.21) 0.720 ms 0.544 ms 0.913 ms 4 10.2.2.21 (10.2.2.21) 1.005 ms !A * 0.996 ms !A
The above tracroute leads to the assumption of the NIC card of the appliance is malfunctioning because the host being traced is what shows as the next hop.
Notice in the above traceroute that the last hop has reported !A which means the trace is being authoritatively prohibited.
Capturing a packet trace from the appliance shows the following:
From the above figure you can see that there is no answer from the next hop device for the UDP packet generated by traceroute.
In this case, support noticed that ICMP inspection was disabled on the PIX firewall in between the appliance and the backend server. ICMP inspection is a feature of Cisco IOS 7. Enabling ICMP inspection will cause traceroute to function normally.