cancel
Showing results for 
Search instead for 
Did you mean: 

Do I need to enable a service for tracert to work?

Jump to solution

I'm trying to do a basic tracert to google.com and I'm receiving a very weird result that I believe is a result of our Sidewinder firewalls.

I've copied and pasted the result below:

C:\Users\xyz>tracert google.com

Tracing route to google.com [72.14.204.113]

over a maximum of 30 hops:

  1     *        *        *     Request timed out.

  2     *        *        *     Request timed out.

  3     *        *        *     Request timed out.

  4     *        *        *     Request timed out.

  5     *        *        *     Request timed out.

  6     *        *        *     Request timed out.

  7     *        *        *     Request timed out.

  8     *        *        *     Request timed out.

  9    11 ms    20 ms     8 ms  iad04s01-in-f113.1e100.net [72.14.204.113]

Each time, it will connect to google on the 9th hop but it won't show anything before that.

Any ideas?

1 Solution

Accepted Solutions

Re: Do I need to enable a service for tracert to work?

Jump to solution

Traceroute through the firewall will work as of 7.0.1.03 and 8.1.2; it did not work in previous versions of the firewall. In order to pass traceroute through the firewall, an ICMP packet filter rule is required. In my testing, I created an ICMP packet filter rule with the following Generic (Required) application defense settings:

General tab: Default Values (no proxies selected)

Stateful Inspection tab:

- Enable stateful packet inspection

- ICMP Message types (all selected)

- Allowed control and error responses: Default selected ('timxceed_intrans', 'unreach_needfrag', 'unreach_port')

Note: You may also need to allow UDP ports (depending on how you are using tracert), but in my testing I did not need to). Also, in case you reference the Product Guide - it is incorrect and out of date; it still states that, "Traceroute is not allowed through the firewall."

Message was edited by: rdestics on 3/19/12 10:17:27 AM CDT
4 Replies

Re: Do I need to enable a service for tracert to work?

Jump to solution

Traceroute through the firewall will work as of 7.0.1.03 and 8.1.2; it did not work in previous versions of the firewall. In order to pass traceroute through the firewall, an ICMP packet filter rule is required. In my testing, I created an ICMP packet filter rule with the following Generic (Required) application defense settings:

General tab: Default Values (no proxies selected)

Stateful Inspection tab:

- Enable stateful packet inspection

- ICMP Message types (all selected)

- Allowed control and error responses: Default selected ('timxceed_intrans', 'unreach_needfrag', 'unreach_port')

Note: You may also need to allow UDP ports (depending on how you are using tracert), but in my testing I did not need to). Also, in case you reference the Product Guide - it is incorrect and out of date; it still states that, "Traceroute is not allowed through the firewall."

Message was edited by: rdestics on 3/19/12 10:17:27 AM CDT

Re: Do I need to enable a service for tracert to work?

Jump to solution

Looks like these firewalls need to be updated then. When I look at Help > About it says Console Version 4.10.

Would you mind pointing me in the direction of where to get the firmware update details?     

Re: Do I need to enable a service for tracert to work?

Jump to solution

That is the version of the Admin Console, not the firewall. Go the the Dashboard and see what the 'Version' is, or from CLI, type 'uname -r'. Either way, you can download patches directly to the firewall (if it has Internet access) under the Maintenance - Software management screen (click 'Check for Updates'). You can also download patches from http://www.mcafee.com/us/downloads (use your Grant number to access the site).

Re: Do I need to enable a service for tracert to work?

Jump to solution

Ah, perfect, thanks!

I'm on version 7.01.02 which is one version previous to when  you stated it was fixed. Looks like things will need to be updated.

Appreciate your prompt response as always rdestics.