Junos
Highlighted
Junos

Able to ping cannot traceroute an ospf network learnt over a P2P link

[ Edited ]
‎10-23-2019 07:50 AM

I have x4 Juniper routers scenarios where x2 routers at each site. 

 

Router A is connected to one ISP and learn default route via BGP- Router C connected to Router A at same site receives this default route from A as BGP is injecting default route into ospf.

 

Router B is connected to 2nd  ISP and learns default route via BGP- Router D connected to Router B at same site receives this default route from B as BGP is injecting default route into ospf.

 

I have number of LAN ports on A and C / B and D which are polling WAN ports on both A and B. incase of WAN port going down the other router connected to them quickly kicks in as primary.

 

My situation is as all routers are running ospf therefore we are learning x2 default routes at each site to reroute traffic when ISP A or B goes down. 

 

Issue : I have a DMZ server connected at each end to a switch port that connects ports to Router A and C. I am able to ping that router fine however I am unable to traceroute or telnet, ssh, http onto other end server. As multiple paths were available to go from router D back to C and from C back to A therefore I have disabled asymmetric routing by 

set security flow tcp-session no-syn-check 

 

Problem I am still having is unable to traceroute that device ? Why is it so that I am able to now ping, http, telnet etc but traceroute does not work?

 

Network.jpg

 

 

 

 

4 REPLIES 4
Junos

Re: Able to ping cannot traceroute an ospf network learnt over a P2P link

‎10-23-2019 09:45 AM

Hi, 

 

Depending on the client, most often traceroute uses udp to high port numbers (>33434). 

Do you also have udp allowed through?

 

Other option is to force traceroute to use ICMP.

 

Cheers, 
Ashvin

Highlighted
Junos

Re: Able to ping cannot traceroute an ospf network learnt over a P2P link

‎10-24-2019 07:16 AM

I have done further troubleshooting on this. It appears traceroute from a PC on same subnet works fine however if traceroute is done from another SRX at remote site it fails as VRRP backup router ? Why is this such a strange behaviour with traceroute ?

Highlighted
Junos

Re: Able to ping cannot traceroute an ospf network learnt over a P2P link

‎10-26-2019 11:13 AM

The ping or trace may be auto selecting an inappropriate ip address for the test.  Try specifying the interface or ip address facing the egress towards the destination as the source for the trace/ping request.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
Junos

Re: Able to ping cannot traceroute an ospf network learnt over a P2P link

[ Edited ]
‎10-26-2019 10:29 PM

Hello,

 

By default, JUNOS selects the outgoing interface' IP as src.IP for traceroute. It is possible to override with by "source-address" knob in traceroute command.

Now, if You don't announce Your link addresses to Your ISP, then the ICMP Unreach responses won't get back to Your SRX.

Another possibility is if You override traceroute src.IP with the SRX' interface IP from VRRP subnet, _AND_ You announce VRRP subnet from both VRRP backup and VRRP master routers, then when tracing from VRRP backup, the ICMP Unreach reply could get back to the VRRP master instead, depending on IGP metric, or in case of ECMP, how Your ASBR selects one of available ECMP paths back to VRRP subnet.

Hope this makes sense.

HTH

Thx

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Feedback