Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Traceroute shows duplicate hop IP through SRX

0

0

Article ID: KB31863 KB Last Updated: 28 Jun 2017Version: 1.0
Summary:

This article explains why the traceroute shows duplicate hop IP through SRX.

Symptoms:

When traceroute from client to server IP through SRX, the result shows duplicate hop IP.

Example:

root> traceroute 10.20.10.10    
traceroute to 10.10.10.10 (10.10.10.10), 30 hops max, 40 byte packets
 1  192.168.2.2 (192.168.2.2)  0.873 ms  0.906 ms  0.699 ms
 2  192.168.3.7 (192.168.3.7)  0.921 ms  1.071 ms  0.791 ms
 3  192.168.3.7 (192.168.3.7)  1.595 ms  1.370 ms  1.327 ms
 4  10.20.10.10 (10.20.10.10)  3.913 ms  3.772 ms  4.062 ms
Cause:

‚ÄčThis occurs because SRX has Network Address Translation (NAT) configuration and the traffic passed through NAT.
The SRX needs to adjust time-to-live (TTL) by looping the packet twice.

Solution:
 
root@SRX> show security flow session   
Session ID: 39264, Policy name: Permit-Policy1/4, Timeout: 56, Valid
  In: 192.168.2.1/58284 --> 10.20.10.10/33440;udp, If: ge-2/0/0.0, Pkts: 1, Bytes: 40
  Out: 10.10.10.10/33440 --> 192.168.2.1/58284;udp, If: ge-2/0/1.0, Pkts: 0, Bytes: 0
 

Without NAT configuration:

[edit]
root@SRX# run show security flow session    
Session ID: 65412, Policy name: Permit-Policy1/4, Timeout: 50, Valid
  In: 192.168.2.1/60536 --> 10.10.10.10/33440;udp, If: ge-2/0/0.0, Pkts: 1, Bytes: 40
  Out: 10.10.10.10/33440 --> 192.168.2.1/60536;udp, If: ge-2/0/1.0, Pkts: 0, Bytes: 0 
 
root> traceroute 10.10.10.10  
traceroute to 10.10.10.10 (10.10.10.10), 30 hops max, 40 byte packets
1  192.168.2.2 (192.168.2.2)  6.337 ms  0.831 ms  0.662 ms
2  192.168.3.7 (192.168.3.7)  1.571 ms  1.428 ms  1.438 ms
3  10.19.19.253 (10.19.19.253)  2.000 ms  2.758 ms  1.826 ms
4  10.10.10.10 (10.10.10.10)  4.437 ms  4.837 ms  5.099 ms  
 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search