mimform Posted January 18, 2014 Share Posted January 18, 2014 I have remote sites here and there and sometimes, there are problems along the way so I need to poke around and see what's going on. Is it a provider along the way? Is it is something along the network before or after the internet, etc. You get the point. Problem is that more and more companies are starting to disable icmp and related tcp/udp ports so running say traceroute and others even on tcp/udp ports don't make any difference. When traceroute, ping and other similar tools don't give you insight into a network because some of the providers along the path, what other tools, tricks, methods are there to test connectivity and timing from point A to B over the internet? I've been searching for over a week, trying out countless tools such as tcptraceroute, mtr, alf and others but still keep getting the dreaded * * * responses. Figured it's time to reach out and find a pro or two. Thanks. Link to comment Share on other sites More sharing options...
+John Teacake MVC Posted January 18, 2014 MVC Share Posted January 18, 2014 More and more companies are blocking ICMP??? Are they? What type of connections do you have? I am assuming you are using VPN's. Are they managed by you? Link to comment Share on other sites More sharing options...
Gerowen Posted January 18, 2014 Share Posted January 18, 2014 I use Zenmap (A GUI for nmap) occasionally for scanning devices on a network to see what ports are listening, but using it assumes that you can see the device you are wanting to scan. Link to comment Share on other sites More sharing options...
MillionVoltss Posted January 18, 2014 Share Posted January 18, 2014 ( Has no networking skills ) Can you do the ping from the Client in a shell or something to yours ? Link to comment Share on other sites More sharing options...
+John Teacake MVC Posted January 19, 2014 MVC Share Posted January 19, 2014 I could understand maybe at a push ICMP (ping) been disabled but does your traceroute show all ***. post some examples and maybe a diagram of your setup. Link to comment Share on other sites More sharing options...
The_Decryptor Veteran Posted January 19, 2014 Veteran Share Posted January 19, 2014 MTR? pathping? A hop along the way blocking ICMP or such shouldn't break the entire route, and tools like that should still work in that situation. Link to comment Share on other sites More sharing options...
sc302 Veteran Posted January 21, 2014 Veteran Share Posted January 21, 2014 If you control the end points you enable for testing. You need to be able to test basic communications. if you heave business class firewalls you will be able to look at the logs to see what is hiring your firewall. Link to comment Share on other sites More sharing options...
mimform Posted January 22, 2014 Author Share Posted January 22, 2014 Thanks for all of the replies. No, I don't control all of the points, only A to B but I need to see what is down in between them. No, I don't only see * * *, so no, it doesn't break the entire route. Just saying that too often, when providers disable ICMP and assosicated tcp/udp ports, then there is little to go on because the tracetroute ends. Yes, I use juniper SSG series firewalls and yes, I do see the logging but that doesn't help much since I can't see the full path from point A to B when something in between is down. No, I can't use scans because that typically makes providers somewhat nervous, even if they are logged and reported. Our own devices do the same thing but if I see too many scans, I start wondering why. Yes, I do have the remotes ping back to us when we have problems but no one can get any better traceroute when those services are diabled. My question is really not about ping or traceroute but what other options might be available when these tools become useless. Link to comment Share on other sites More sharing options...
sc302 Veteran Posted January 22, 2014 Veteran Share Posted January 22, 2014 Calling the site, if they have a vpn with a split tunnel, do they continue to have internet access? If they don't have a vpn with a split tunnel, do they have an internet facing port on their firewall? Can you enable ssl or https administration for that site and use another site (possibly a computer at home that is possibly on a different network entirely) to try to administrate it. basically, if you can't hit it from work and you can't hit it from home there are serious issues to work on which are usually out of your control once setup properly. If it is all internal, then there are internal network issues that you have to work with. Short of really pinging each site from a site that exists outside of your network, calling the provider to assist with troubleshooting, being able to remote into each site, tracerouteing, there really isn't much else you can do as far as basic troubleshooting...you don't own everything between you and them so hard to get a good read on it...generally though if they have disabled icmp and you have a good trace route from one site to the other you can guage pretty well when a site is down and around where it is dying....you need to know how many hops it takes for a normal trace to hit your site. You can pretty much guage when it is your site having issues or when someone else is if it stops responding after 2 hops for example when it normally takes 30, but if it dies on 30 you know it is your end. it isn't exactly rocket science, if it makes sense and you have previously tested before you can guage pretty well what is going on. Link to comment Share on other sites More sharing options...
mimform Posted January 28, 2014 Author Share Posted January 28, 2014 Thank you very much for all of the info. It is helpful and I will note that there aren't any other tools which may not be well known. Link to comment Share on other sites More sharing options...
Recommended Posts