Problems with MTR (traceroute) through a PIX

Discussion in 'Cisco' started by jlamanna, Feb 19, 2006.

  1. jlamanna

    jlamanna Guest

    So I've noticed the following interesting problem when trying to
    traceroute through a PIX 515E (7.0).
    I received the ICMP time exceeded packets back to my host, but the
    traceroute program I'm using (mtr) rejects them because the ID field in
    the returned ICMP header has been mangled!

    Example:

    12:56:51.175408 IP (tos 0x0, ttl 2, id 5653, offset 0, flags [none],
    length: 64) xxx.xxx.yyyy > 220.ge-0-1-0.cr2.lax1.speakeasy.net: icmp
    44: echo request
    0x0000: 4500 0040 1615 0000 0201 feaf 0a14 020f [email protected]
    0x0010: 4511 52c5 0800 06e9 c616 2b00 0000 0000 E.R.......+.....
    0x0020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
    0x0030: 0000 0000 0000 0000 0000 0000 0000 0000 ................
    12:56:51.179808 IP (tos 0x0, ttl 254, id 0, offset 0, flags [none],
    length: 56) Loopback0.GW1.LAX1.ALTER.NET > xxx.xxx.yyyy: icmp 36: time
    exceeded in-trans
    0x0000: 4500 0038 0000 0000 fe01 2517 8927 0264 E..8......%..'.d
    0x0010: 0a14 020f 0b00 f4ff 0000 0000 4500 0040 [email protected]
    0x0020: 1615 0000 0101 f134 41d3 d8ca 4511 52c5 .......4A...E.R.
    0x0030: 0800 ccda 0025 2b00 .....%+.

    So the format of the ICMP time exceeded message should be:
    <IP Header> <0x0b (type 11)> <code> <checksum> 0x00000000
    <echo request IP header> <echo request ICMP header>

    Now if you look, the ICMP echo request has an ICMP header of:
    type: 0x08 (echo request)
    code: 0x00
    checksum: 0x06e9
    id: 0xc616
    seq: 0x2b00

    now the time-exceeded response should have the same exact thing in the
    last 64-bits of the packet, but it has:
    type: 0x08
    code: 0x00
    checksum: 0xccda
    id: 0x0025
    seq: 0x2b00

    So the id gets mangled somehow (which also screws up the checksum).
    mtr checks to see if the id of the response matches the echo request,
    so all these packets get dropped, and I get no traceroute results.

    This only occurs when tracerouting through the PIX, traceroutes inside
    the PIX work fine.

    Has anyone else seen this behavior?

    Thanks.

    -- James
     
    jlamanna, Feb 19, 2006
    #1
    1. Advertisements

  2. jlamanna

    Merv Guest

    You should open a case with the Cisco TAC.
     
    Merv, Feb 19, 2006
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.