Red Hat Bugzilla – Bug 14696
traceroute: unreachable error (no response) from Cisco router (IOS v11.3-12.0(9))
Last modified: 2008-05-01 11:37:57 EDT
Traceroute rpm's for 6.0-6.2 are not compatable with Cisco router IOS v11.3-12.0(9). Router will not reply to UDP or ICMP(traceroute -I) requests. Systems on same segment running Debian or WinNT not having this problem. Have also found that Multinet's traceroute for VAX/VMS is also having same problem (for what it's worth). Other network utils functioning correctly. Downloaded traceroute (v1.4a5) from ftp.ee.lbl.gov and compiled on RH 6.2 box. This version does not use default UDP nor has a switch between the two protocols (UDP / ICMP). Traceroute works correctly for this build. -Walter
I can't reproduce this with several Cisco routers. Are you sure there aren't firewalls etc. hindering the communications? Some tcpdump output might help in diagnosing this too.
We have found that this is not a bug as supposed. A new rule was imposed at the router to block packet sizes >1460 (preventing PoD attacks). For some reason, the RedHat binary has a default value >1460, unlike most other distributions of linux. Debian binary has default set somewhere around 400-600. Why is RedHat's set so high?
Are you sure about that? My tests w/ tcpdump show that both UDP and ICMP traceroutes would seem to generate only about 10-12 bytes of data per packet, plus the normal headers. There was no significant difference w/ RH6.2 version and the one from ftp.ee.lbl.gov.
Scratch the previous comment. The large cutoff (>1460) concerned the VAX/VMS system. The RedHat problem arises due to a low cutoff rule that was imposed. No packet sizes under 39 bytes are allowed. I re-installed the rpm to verify this fact. traceroute xxx.xxx.xxx.xxx 38(default) 1 * * * traceroute xxx.xxx.xxx.xxx 39 works fine!
This rule (in the router) is gets false positives. Consider a default IP header, 20 bytes. Add e.g. UDP header, 8 bytes. And then 0-10 bytes of data, 28-38 bytes. A perfectly legal packet.