Red Hat Bugzilla – Bug 14696
traceroute: unreachable error (no response) from Cisco router (IOS v11.3-12.0(9))
Last modified: 2008-05-01 11:37:57 EDT
Traceroute rpm's for 6.0-6.2 are not compatable with Cisco router IOS v11.3-12.0(9). Router will not reply to UDP or ICMP(traceroute -I)
requests. Systems on same segment running Debian or WinNT not having this problem. Have also found that Multinet's traceroute for
VAX/VMS is also having same problem (for what it's worth). Other network utils functioning correctly.
Downloaded traceroute (v1.4a5) from ftp.ee.lbl.gov and compiled on RH 6.2 box. This version does not use default UDP nor has a switch
between the two protocols (UDP / ICMP). Traceroute works correctly for this build.
I can't reproduce this with several Cisco routers. Are you sure there aren't
firewalls etc. hindering the communications? Some tcpdump output might help
in diagnosing this too.
We have found that this is not a bug as supposed. A new rule was imposed at the router to block packet sizes >1460 (preventing PoD attacks). For
some reason, the RedHat binary has a default value >1460, unlike most other distributions of linux. Debian binary has default set somewhere around
400-600. Why is RedHat's set so high?
Are you sure about that? My tests w/ tcpdump show that both UDP and ICMP
seem to generate only about 10-12 bytes of data per packet, plus the normal
was no significant difference w/ RH6.2 version and the one from ftp.ee.lbl.gov.
Scratch the previous comment. The large cutoff (>1460) concerned the VAX/VMS system.
The RedHat problem arises due to a low cutoff rule that was imposed. No packet sizes under 39 bytes are allowed. I re-installed the rpm to verify this
traceroute xxx.xxx.xxx.xxx 38(default)
1 * * *
traceroute xxx.xxx.xxx.xxx 39
This rule (in the router) is gets false positives.
Consider a default IP header, 20 bytes.
Add e.g. UDP header, 8 bytes.
And then 0-10 bytes of data, 28-38 bytes.
A perfectly legal packet.