next hop packet loss

Jim Ray jim at neuse.net
Wed Aug 8 23:39:12 UTC 2012


telnet www.checkpoint.com 80
GET / HTTP/1.1
Host: www.checkpoint.com

...resolved some information and then lost connection according to this
trailer from the screen scrape:

      <!-- Column 2 -->
      <div class="column">
        <!---  <h2><a
href="https://supportcenter.checkpoint.com/supportcenter/p
ortal?ev

Connection to host lost.

 Site resolves fine on Verizon network with my iPhone and not on Time
Warner network. Maybe Check Point is mad because my network is behind a
Sonic Wall and not their product.

Regards,

Jim Ray, President
Neuse River Networks
2 Davis Drive, PO Box 13169
Research Triangle Park, NC 27709
919-838-1672 x100
www.NeuseRiverNetworks.com



-----Original Message-----
From: wherrin at gmail.com [mailto:wherrin at gmail.com] On Behalf Of William
Herrin
Sent: Tuesday, August 07, 2012 10:51 AM
To: Jim Ray
Cc: nanog at nanog.org
Subject: Re: next hop packet loss

On Mon, Aug 6, 2012 at 11:27 AM, Jim Ray <jim at neuse.net> wrote:
> I have a Time Warner Business Class connection and am unable to reach 
> http://www.checkpoint.com to research product line I wish to carry. I 
> did a trace route and confirmed packets are past my network, Time 
> Warner network and onto next hop where they execute jump to nowhere 
> instruction.
> Here is the tracert just now (it has been failing for weeks):

That's an artifact of Checkpoint blocking pings. Note the difference
between ICMP and TCP-based traceroutes:

traceroute -I 216.200.241.66
traceroute to 216.200.241.66 (216.200.241.66), 30 hops max, 60 byte
packets
 1  sark.dirtside.com (70.182.189.216)  0.462 ms  0.494 ms  0.555 ms
 2  10.1.192.1 (10.1.192.1)  9.023 ms  9.197 ms  9.247 ms
 3  ip72-196-255-1.dc.dc.cox.net (72.196.255.1)  15.210 ms  15.497 ms
15.548 ms
 4  mrfddsrj01gex070003.rd.dc.cox.net (68.100.0.141)  13.594 ms
13.765 ms  13.817 ms
 5  68.1.4.139 (68.1.4.139)  14.752 ms  15.016 ms  14.951 ms
 6  ge-8-0-7.er2.iad10.us.above.net (64.125.12.241)  15.075 ms  9.565 ms
9.384 ms
 7  xe-5-1-0.cr2.dca2.us.above.net (64.125.29.77)  33.238 ms  26.629 ms
26.554 ms
 8  xe-2-2-0.cr2.iah1.us.above.net (64.125.30.53)  45.079 ms  45.230 ms
45.264 ms
 9  xe-0-3-0.cr2.lax112.us.above.net (64.125.30.50)  75.982 ms  76.212
ms  76.154 ms
10  xe-2-1-0.cr2.sjc2.us.above.net (64.125.26.30)  93.901 ms  94.044 ms
88.715 ms
11  xe-1-1-0.er2.sjc2.us.above.net (64.125.26.202)  88.542 ms  88.885 ms
90.094 ms
12  64.124.201.230.b709.above.net (64.124.201.230)  89.691 ms  89.060 ms
88.895 ms
13  * * *
14  * * *
15  * * *

traceroute -T -p 80 216.200.241.66
traceroute to 216.200.241.66 (216.200.241.66), 30 hops max, 60 byte
packets
 1  sark.dirtside.com (70.182.189.216)  0.487 ms  0.520 ms  0.568 ms
 2  10.1.192.1 (10.1.192.1)  20.018 ms  24.851 ms  25.144 ms
 3  ip72-196-255-1.dc.dc.cox.net (72.196.255.1)  25.415 ms  25.502 ms
25.591 ms
 4  mrfddsrj01gex070003.rd.dc.cox.net (68.100.0.141)  25.139 ms
25.178 ms  25.260 ms
 5  68.1.4.139 (68.1.4.139)  37.509 ms  37.437 ms  37.362 ms
 6  ge-5-3-0.mpr2.iad10.us.above.net (64.125.13.57)  91.097 ms  89.808
ms ge-8-0-7.er2.iad10.us.above.net (64.125.12.241)  24.078 ms
 7  xe-5-1-0.cr2.dca2.us.above.net (64.125.29.77)  26.324 ms  11.950 ms
12.477 ms
 8  xe-2-2-0.cr2.iah1.us.above.net (64.125.30.53)  74.680 ms  74.575 ms
74.355 ms
 9  xe-0-3-0.cr2.lax112.us.above.net (64.125.30.50)  76.781 ms  76.330
ms  76.118 ms
10  xe-2-1-0.cr2.sjc2.us.above.net (64.125.26.30)  100.310 ms  100.026
ms  98.495 ms
11  xe-1-1-0.er2.sjc2.us.above.net (64.125.26.202)  98.631 ms  93.570 ms
94.380 ms
12  64.124.201.230.b709.above.net (64.124.201.230)  94.420 ms  97.053 ms
95.015 ms
13  208.185.174.208 (208.185.174.208)  96.208 ms  96.541 ms  96.384 ms
14  www.checkpoint.com (216.200.241.66)  97.406 ms  97.534 ms  97.891 ms


Since you get all the way to the Checkpoint border, try some basic
diagnostics like:

telnet www.checkpoint.com 80
GET / HTTP/1.1
Host: www.checkpoint.com

Wait for the telnet to succeed before you type GET. Make sure you press
enter twice after the last line. You're hand-jamming an HTTP request.

If you don't connect then checkpoint is blocking your IP address for one
reason or another. Maybe there are hackers in your neighborhood.
Take it up with them by phone.

If you do connect but get no response to the "get" http request then
most likely checkpoint is blocking all ICMP packets and your path MTU is
smaller than 1500 bytes. The ICMP block prevents the fragmentation
needed message from reaching their web server, so it never figures out
it needs to shorten its packets. If, as a firewall company, they have
made this beginner mistake... 'nuff said.

And of course if you do get complete content back from the web server
then you have some other problem with your PC that's getting in the way.

Regards,
Bill Herrin



--
William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004




More information about the NANOG mailing list