4 Replies Latest reply on Mar 19, 2012 12:30 PM by readysetgo

    Do I need to enable a service for tracert to work?

      I'm trying to do a basic tracert to google.com and I'm receiving a very weird result that I believe is a result of our Sidewinder firewalls.



      I've copied and pasted the result below:



      C:\Users\xyz>tracert google.com


      Tracing route to google.com []

      over a maximum of 30 hops:


        1     *        *        *     Request timed out.

        2     *        *        *     Request timed out.

        3     *        *        *     Request timed out.

        4     *        *        *     Request timed out.

        5     *        *        *     Request timed out.

        6     *        *        *     Request timed out.

        7     *        *        *     Request timed out.

        8     *        *        *     Request timed out.

        9    11 ms    20 ms     8 ms  iad04s01-in-f113.1e100.net []




      Each time, it will connect to google on the 9th hop but it won't show anything before that.




      Any ideas?

        • 1. Re: Do I need to enable a service for tracert to work?

          Traceroute through the firewall will work as of and 8.1.2; it did not work in previous versions of the firewall. In order to pass traceroute through the firewall, an ICMP packet filter rule is required. In my testing, I created an ICMP packet filter rule with the following Generic (Required) application defense settings:


          General tab: Default Values (no proxies selected)

          Stateful Inspection tab:


          - Enable stateful packet inspection

          - ICMP Message types (all selected)

          - Allowed control and error responses: Default selected ('timxceed_intrans', 'unreach_needfrag', 'unreach_port')


          Note: You may also need to allow UDP ports (depending on how you are using tracert), but in my testing I did not need to). Also, in case you reference the Product Guide - it is incorrect and out of date; it still states that, "Traceroute is not allowed through the firewall."


          Message was edited by: rdestics on 3/19/12 10:17:27 AM CDT
          • 2. Re: Do I need to enable a service for tracert to work?

            Looks like these firewalls need to be updated then. When I look at Help > About it says Console Version 4.10.



            Would you mind pointing me in the direction of where to get the firmware update details?     

            • 3. Re: Do I need to enable a service for tracert to work?

              That is the version of the Admin Console, not the firewall. Go the the Dashboard and see what the 'Version' is, or from CLI, type 'uname -r'. Either way, you can download patches directly to the firewall (if it has Internet access) under the Maintenance - Software management screen (click 'Check for Updates'). You can also download patches from http://www.mcafee.com/us/downloads (use your Grant number to access the site).

              1 of 1 people found this helpful
              • 4. Re: Do I need to enable a service for tracert to work?

                Ah, perfect, thanks!


                I'm on version 7.01.02 which is one version previous to when  you stated it was fixed. Looks like things will need to be updated.



                Appreciate your prompt response as always rdestics.