next hop packet loss
William Herrin
bill at herrin.us
Tue Aug 7 14:50:43 UTC 2012
On Mon, Aug 6, 2012 at 11:27 AM, Jim Ray <jim at neuse.net> wrote:
> I have a Time Warner Business Class connection and am unable to reach
> http://www.checkpoint.com to research product line I wish to carry. I
> did a trace route and confirmed packets are past my network, Time Warner
> network and onto next hop where they execute jump to nowhere
> instruction.
> Here is the tracert just now (it has been failing for weeks):
That's an artifact of Checkpoint blocking pings. Note the difference
between ICMP and TCP-based traceroutes:
traceroute -I 216.200.241.66
traceroute to 216.200.241.66 (216.200.241.66), 30 hops max, 60 byte packets
1 sark.dirtside.com (70.182.189.216) 0.462 ms 0.494 ms 0.555 ms
2 10.1.192.1 (10.1.192.1) 9.023 ms 9.197 ms 9.247 ms
3 ip72-196-255-1.dc.dc.cox.net (72.196.255.1) 15.210 ms 15.497 ms 15.548 ms
4 mrfddsrj01gex070003.rd.dc.cox.net (68.100.0.141) 13.594 ms
13.765 ms 13.817 ms
5 68.1.4.139 (68.1.4.139) 14.752 ms 15.016 ms 14.951 ms
6 ge-8-0-7.er2.iad10.us.above.net (64.125.12.241) 15.075 ms 9.565
ms 9.384 ms
7 xe-5-1-0.cr2.dca2.us.above.net (64.125.29.77) 33.238 ms 26.629
ms 26.554 ms
8 xe-2-2-0.cr2.iah1.us.above.net (64.125.30.53) 45.079 ms 45.230
ms 45.264 ms
9 xe-0-3-0.cr2.lax112.us.above.net (64.125.30.50) 75.982 ms 76.212
ms 76.154 ms
10 xe-2-1-0.cr2.sjc2.us.above.net (64.125.26.30) 93.901 ms 94.044
ms 88.715 ms
11 xe-1-1-0.er2.sjc2.us.above.net (64.125.26.202) 88.542 ms 88.885
ms 90.094 ms
12 64.124.201.230.b709.above.net (64.124.201.230) 89.691 ms 89.060
ms 88.895 ms
13 * * *
14 * * *
15 * * *
traceroute -T -p 80 216.200.241.66
traceroute to 216.200.241.66 (216.200.241.66), 30 hops max, 60 byte packets
1 sark.dirtside.com (70.182.189.216) 0.487 ms 0.520 ms 0.568 ms
2 10.1.192.1 (10.1.192.1) 20.018 ms 24.851 ms 25.144 ms
3 ip72-196-255-1.dc.dc.cox.net (72.196.255.1) 25.415 ms 25.502 ms 25.591 ms
4 mrfddsrj01gex070003.rd.dc.cox.net (68.100.0.141) 25.139 ms
25.178 ms 25.260 ms
5 68.1.4.139 (68.1.4.139) 37.509 ms 37.437 ms 37.362 ms
6 ge-5-3-0.mpr2.iad10.us.above.net (64.125.13.57) 91.097 ms 89.808
ms ge-8-0-7.er2.iad10.us.above.net (64.125.12.241) 24.078 ms
7 xe-5-1-0.cr2.dca2.us.above.net (64.125.29.77) 26.324 ms 11.950
ms 12.477 ms
8 xe-2-2-0.cr2.iah1.us.above.net (64.125.30.53) 74.680 ms 74.575
ms 74.355 ms
9 xe-0-3-0.cr2.lax112.us.above.net (64.125.30.50) 76.781 ms 76.330
ms 76.118 ms
10 xe-2-1-0.cr2.sjc2.us.above.net (64.125.26.30) 100.310 ms 100.026
ms 98.495 ms
11 xe-1-1-0.er2.sjc2.us.above.net (64.125.26.202) 98.631 ms 93.570
ms 94.380 ms
12 64.124.201.230.b709.above.net (64.124.201.230) 94.420 ms 97.053
ms 95.015 ms
13 208.185.174.208 (208.185.174.208) 96.208 ms 96.541 ms 96.384 ms
14 www.checkpoint.com (216.200.241.66) 97.406 ms 97.534 ms 97.891 ms
Since you get all the way to the Checkpoint border, try some basic
diagnostics like:
telnet www.checkpoint.com 80
GET / HTTP/1.1
Host: www.checkpoint.com
Wait for the telnet to succeed before you type GET. Make sure you
press enter twice after the last line. You're hand-jamming an HTTP
request.
If you don't connect then checkpoint is blocking your IP address for
one reason or another. Maybe there are hackers in your neighborhood.
Take it up with them by phone.
If you do connect but get no response to the "get" http request then
most likely checkpoint is blocking all ICMP packets and your path MTU
is smaller than 1500 bytes. The ICMP block prevents the fragmentation
needed message from reaching their web server, so it never figures out
it needs to shorten its packets. If, as a firewall company, they have
made this beginner mistake... 'nuff said.
And of course if you do get complete content back from the web server
then you have some other problem with your PC that's getting in the
way.
Regards,
Bill Herrin
--
William D. Herrin ................ herrin at dirtside.com bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004
More information about the NANOG
mailing list