[66071] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

RE: Trace and Ping with Record Option on Cisco Routers

daemon@ATHENA.MIT.EDU (Danny.Andaluz@triaton-na.com)
Tue Dec 23 09:28:11 2003

From: Danny.Andaluz@triaton-na.com
To: crist.clark@globalstar.com
Cc: nanog@merit.edu
Date: Tue, 23 Dec 2003 09:30:31 -0500
Errors-To: owner-nanog-outgoing@merit.edu


This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C3C961.51735730
Content-Type: text/plain

That's exactly it, Crist.  I did a little research and that the PIX drops
any packets with IP Options turned on.  Currently there is no workaround.
This is IP Option 7 to be exact.

Thanks,
Danny

-----Original Message-----
From: Crist Clark [mailto:crist.clark@globalstar.com] 
Sent: Monday, December 22, 2003 6:18 PM
To: Andaluz, Danilo, Triaton/NA
Cc: nanog@merit.edu
Subject: Re: Trace and Ping with Record Option on Cisco Routers


> Danny.Andaluz@triaton-na.com wrote:
> 
> Hey, Group.
> 
> In my production network, I'm trying to do some extended traces and 
> pings with the record option turned on to see what route my packets 
> take going and returning.  It's not working.  If I do the extended 
> traceroute or ping without the record option, it works fine.  There is 
> a firewall (PIX) a few hops in front of the destination I'm trying to 
> record the route for.  What part of ICMP is this that needs to be 
> opened on the firewall to allow this to come back?  First time I'm 
> coming across this.

It's not ICMP. It's the IP Options. Most firewalls will drop any packet with
an IP Options. Many firewalls will not let you turn this off. I do not know
how to allow IP Options through a PIX, but I know how to do it in Cisco IOS.
-- 
Crist J. Clark                               crist.clark@globalstar.com
Globalstar Communications                                (408) 933-4387

------_=_NextPart_001_01C3C961.51735730
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2653.12">
<TITLE>RE: Trace and Ping with Record Option on Cisco Routers</TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=3D2>That's exactly it, Crist.&nbsp; I did a little =
research and that the PIX drops any packets with IP Options turned =
on.&nbsp; Currently there is no workaround.&nbsp; This is IP Option 7 =
to be exact.</FONT></P>

<P><FONT SIZE=3D2>Thanks,</FONT>
<BR><FONT SIZE=3D2>Danny</FONT>
</P>

<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: Crist Clark [<A =
HREF=3D"mailto:crist.clark@globalstar.com">mailto:crist.clark@globalstar=
.com</A>] </FONT>
<BR><FONT SIZE=3D2>Sent: Monday, December 22, 2003 6:18 PM</FONT>
<BR><FONT SIZE=3D2>To: Andaluz, Danilo, Triaton/NA</FONT>
<BR><FONT SIZE=3D2>Cc: nanog@merit.edu</FONT>
<BR><FONT SIZE=3D2>Subject: Re: Trace and Ping with Record Option on =
Cisco Routers</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>&gt; Danny.Andaluz@triaton-na.com wrote:</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; Hey, Group.</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; In my production network, I'm trying to do some =
extended traces and </FONT>
<BR><FONT SIZE=3D2>&gt; pings with the record option turned on to see =
what route my packets </FONT>
<BR><FONT SIZE=3D2>&gt; take going and returning.&nbsp; It's not =
working.&nbsp; If I do the extended </FONT>
<BR><FONT SIZE=3D2>&gt; traceroute or ping without the record option, =
it works fine.&nbsp; There is </FONT>
<BR><FONT SIZE=3D2>&gt; a firewall (PIX) a few hops in front of the =
destination I'm trying to </FONT>
<BR><FONT SIZE=3D2>&gt; record the route for.&nbsp; What part of ICMP =
is this that needs to be </FONT>
<BR><FONT SIZE=3D2>&gt; opened on the firewall to allow this to come =
back?&nbsp; First time I'm </FONT>
<BR><FONT SIZE=3D2>&gt; coming across this.</FONT>
</P>

<P><FONT SIZE=3D2>It's not ICMP. It's the IP Options. Most firewalls =
will drop any packet with an IP Options. Many firewalls will not let =
you turn this off. I do not know how to allow IP Options through a PIX, =
but I know how to do it in Cisco IOS.</FONT></P>

<P><FONT SIZE=3D2>-- </FONT>
<BR><FONT SIZE=3D2>Crist J. =
Clark&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
crist.clark@globalstar.com</FONT>
<BR><FONT SIZE=3D2>Globalstar =
Communications&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (408) =
933-4387</FONT>
</P>

</BODY>
</HTML>
------_=_NextPart_001_01C3C961.51735730--

home help back first fref pref prev next nref lref last post