Skip to main content
anru
anru
New Member
November 15, 2013
Question

Enable traceroute between interfaces

  • November 15, 2013
  • 1 reply
  • 37633 views
I configured several interfaces on my FG-600 with different subnets. From hosts of all subnets I can ping all hosts of other subnets and also other type of traffic is ok, but when I try with traceroute command it doesn' t work (* * * *). Where' s the problem? Thanks.

    1 reply

    RH2
    RH2
    New Member
    November 19, 2013
    add a policy allowing any icmp service or just the traceroute service from each interface to the next interface you want to trace the traffic through. For example we use internal, dmz, and wan interfaces with different subnets. We have a policy allowing the traceroute service from specific source addresses to destination addresses on the following interface pairs: internal to dmz internal to wan dmz to internal dmz to wan wan to internal wan to dmz we limit all src addresses for the traffic coming into the wan interface so only our external subnets can traceroute or even ping but we allow traceroute and ping from our internal interface to " all" destination addresses so we can trouble shoot.
    anru
    anruAuthor
    New Member
    November 19, 2013
    I added following policy to troubleshoot: Interface A (any) -> Interface B (any) ALL protocols Interface B (any) -> Interface A (any) ALL protocols From hosts of subnet A to hosts of subnet B ping is OK, but traceroute is KO! Why??
    AtiT
    AtiT
    New Member
    November 19, 2013
    Hi, enable logging on the default DENY policy. After that try the traceroute. You should see some logs allowed or denied in the logs. Another step can be to sniffer the packets. Let' s say you have your machine with IP A.A.A.A from which you are trying the traceroute. try the command: diagnose sniffer packet any ' host A.A.A.A' 4 than try the traceroute. CTRL+C will stop the sniffer. If you have a lot of sessions on your A.A.A.A machine you can also include the remote machine what you are trying to find with traceroute - let' s say the remote machine IP is B.B.B.B than the command: diagnose sniffer packet any ' host A.A.A.A and host B.B.B.B' 4 What are the results?
    Terms & ConditionsAccessibility statement