next hop packet loss
Jim Ray
jim at neuse.net
Wed Aug 8 23:39:12 UTC 2012
telnet www.checkpoint.com 80
GET / HTTP/1.1
Host: www.checkpoint.com
...resolved some information and then lost connection according to this
trailer from the screen scrape:
<!-- Column 2 -->
<div class="column">
<!--- <h2><a
href="https://supportcenter.checkpoint.com/supportcenter/p
ortal?ev
Connection to host lost.
Site resolves fine on Verizon network with my iPhone and not on Time
Warner network. Maybe Check Point is mad because my network is behind a
Sonic Wall and not their product.
Regards,
Jim Ray, President
Neuse River Networks
2 Davis Drive, PO Box 13169
Research Triangle Park, NC 27709
919-838-1672 x100
www.NeuseRiverNetworks.com
-----Original Message-----
From: wherrin at gmail.com [mailto:wherrin at gmail.com] On Behalf Of William
Herrin
Sent: Tuesday, August 07, 2012 10:51 AM
To: Jim Ray
Cc: nanog at nanog.org
Subject: Re: next hop packet loss
On Mon, Aug 6, 2012 at 11:27 AM, Jim Ray <jim at neuse.net> wrote:
> I have a Time Warner Business Class connection and am unable to reach
> http://www.checkpoint.com to research product line I wish to carry. I
> did a trace route and confirmed packets are past my network, Time
> Warner network and onto next hop where they execute jump to nowhere
> instruction.
> Here is the tracert just now (it has been failing for weeks):
That's an artifact of Checkpoint blocking pings. Note the difference
between ICMP and TCP-based traceroutes:
traceroute -I 216.200.241.66
traceroute to 216.200.241.66 (216.200.241.66), 30 hops max, 60 byte
packets
1 sark.dirtside.com (70.182.189.216) 0.462 ms 0.494 ms 0.555 ms
2 10.1.192.1 (10.1.192.1) 9.023 ms 9.197 ms 9.247 ms
3 ip72-196-255-1.dc.dc.cox.net (72.196.255.1) 15.210 ms 15.497 ms
15.548 ms
4 mrfddsrj01gex070003.rd.dc.cox.net (68.100.0.141) 13.594 ms
13.765 ms 13.817 ms
5 68.1.4.139 (68.1.4.139) 14.752 ms 15.016 ms 14.951 ms
6 ge-8-0-7.er2.iad10.us.above.net (64.125.12.241) 15.075 ms 9.565 ms
9.384 ms
7 xe-5-1-0.cr2.dca2.us.above.net (64.125.29.77) 33.238 ms 26.629 ms
26.554 ms
8 xe-2-2-0.cr2.iah1.us.above.net (64.125.30.53) 45.079 ms 45.230 ms
45.264 ms
9 xe-0-3-0.cr2.lax112.us.above.net (64.125.30.50) 75.982 ms 76.212
ms 76.154 ms
10 xe-2-1-0.cr2.sjc2.us.above.net (64.125.26.30) 93.901 ms 94.044 ms
88.715 ms
11 xe-1-1-0.er2.sjc2.us.above.net (64.125.26.202) 88.542 ms 88.885 ms
90.094 ms
12 64.124.201.230.b709.above.net (64.124.201.230) 89.691 ms 89.060 ms
88.895 ms
13 * * *
14 * * *
15 * * *
traceroute -T -p 80 216.200.241.66
traceroute to 216.200.241.66 (216.200.241.66), 30 hops max, 60 byte
packets
1 sark.dirtside.com (70.182.189.216) 0.487 ms 0.520 ms 0.568 ms
2 10.1.192.1 (10.1.192.1) 20.018 ms 24.851 ms 25.144 ms
3 ip72-196-255-1.dc.dc.cox.net (72.196.255.1) 25.415 ms 25.502 ms
25.591 ms
4 mrfddsrj01gex070003.rd.dc.cox.net (68.100.0.141) 25.139 ms
25.178 ms 25.260 ms
5 68.1.4.139 (68.1.4.139) 37.509 ms 37.437 ms 37.362 ms
6 ge-5-3-0.mpr2.iad10.us.above.net (64.125.13.57) 91.097 ms 89.808
ms ge-8-0-7.er2.iad10.us.above.net (64.125.12.241) 24.078 ms
7 xe-5-1-0.cr2.dca2.us.above.net (64.125.29.77) 26.324 ms 11.950 ms
12.477 ms
8 xe-2-2-0.cr2.iah1.us.above.net (64.125.30.53) 74.680 ms 74.575 ms
74.355 ms
9 xe-0-3-0.cr2.lax112.us.above.net (64.125.30.50) 76.781 ms 76.330
ms 76.118 ms
10 xe-2-1-0.cr2.sjc2.us.above.net (64.125.26.30) 100.310 ms 100.026
ms 98.495 ms
11 xe-1-1-0.er2.sjc2.us.above.net (64.125.26.202) 98.631 ms 93.570 ms
94.380 ms
12 64.124.201.230.b709.above.net (64.124.201.230) 94.420 ms 97.053 ms
95.015 ms
13 208.185.174.208 (208.185.174.208) 96.208 ms 96.541 ms 96.384 ms
14 www.checkpoint.com (216.200.241.66) 97.406 ms 97.534 ms 97.891 ms
Since you get all the way to the Checkpoint border, try some basic
diagnostics like:
telnet www.checkpoint.com 80
GET / HTTP/1.1
Host: www.checkpoint.com
Wait for the telnet to succeed before you type GET. Make sure you press
enter twice after the last line. You're hand-jamming an HTTP request.
If you don't connect then checkpoint is blocking your IP address for one
reason or another. Maybe there are hackers in your neighborhood.
Take it up with them by phone.
If you do connect but get no response to the "get" http request then
most likely checkpoint is blocking all ICMP packets and your path MTU is
smaller than 1500 bytes. The ICMP block prevents the fragmentation
needed message from reaching their web server, so it never figures out
it needs to shorten its packets. If, as a firewall company, they have
made this beginner mistake... 'nuff said.
And of course if you do get complete content back from the web server
then you have some other problem with your PC that's getting in the way.
Regards,
Bill Herrin
--
William D. Herrin ................ herrin at dirtside.com bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004
More information about the NANOG
mailing list