Meraki

Community

MX250 traceroute issues?

hmc250000
Getting noticed
‎Nov 30 2020 7:03 AM
‎Nov 30 2020 7:03 AM

MX250 traceroute issues?

We recently deployed a new MX250 but traceroute is not working properly on the appliance for some reason. Here is a traceroute, we don't see all the hops and see request timed out for hop 1 and 3 from VPN clients to 8.8.8.8 through the MX. Hop 2 is it's internal interface. All the other devices and neighbors show all the hops with traceroute. 

 

Are we missing something on the MX? do we need to enable icmp somewhere in the firewall settings?

 

tracert -d 8.8.8.8

Tracing route to 8.8.8.8 over a maximum of 30 hops

1 * * * Request timed out.
2 9 ms 9 ms 11 ms 10.0.0.254
3 * * * Request timed out.
4 15 ms 15 ms 17 ms 185.225.39.124
5 16 ms 16 ms 23 ms 185.225.38.3
6 54 ms 23 ms 23 ms 188.32.118.39
7 18 ms 18 ms 17 ms 198.170.248.1
8 25 ms 16 ms 16 ms 198.170.237.205
9 16 ms 16 ms 16 ms 8.8.8.8

Trace complete.

 

 

And why is it not possible to traceroute from the internal interface (only the external interface) to other devices under tools?

 

 

0 Kudos
2 Replies 2
Bruce
Kind of a big deal
‎Nov 30 2020 11:43 AM
‎Nov 30 2020 11:43 AM

It’s not uncommon to see ‘Request time out’ in a traceroute. As you suggest it’s the ICMP messages being dropped. The traceroute works by doing a ping, but with a limited hop count (which increases), but this relies on every device in the path responding to the ICMP messages - and some devices (that you don’t control) may be configured not to, but they will pass ICMP messages on to the next device.


I’d guess Meraki decided there is little point being able to traceroute from an internal interface as you’d normally understand your internal network, and wouldn’t need to discover a path - but that could be up for debate. If you think it’s needed then I’d make a wish.

 

In response to Bruce
hmc250000
Getting noticed
‎Dec 1 2020 7:48 AM
‎Dec 1 2020 7:48 AM

I'm confident that the request time outs have something to do with the Meraki appliance. Traceroute actually from the appliance is ok but the problem is with tracing from Meraki VPN clients through the appliance. All other devices can trace fine and show no request time outs. We see the exact same behavior on 2 appliances so far. I've opened a ticket with support and they acknowledged it and are seeing the same issue. 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.