Tag Archives: fortigate How to run ping and traceroute

How to run ping and traceroute

How to run ping and traceroute

Ping and traceroute are useful tools in network troubleshooting. Alone, either one can determine network connectivity between two points. However, ping can be used to generate simple network traffic to view with diagnose commands on the FortiGate unit. This combination can be very powerful when locating network problems.

In addition to their normal uses, ping and traceroute can tell you if your computer or network device has access to a domain name server (DNS). While both tools can use IP addresses alone, they can also use domain names for devices. This is an added troubleshooting feature that can be useful in determining why particular services, such as email or web browsing, may not be working properly.

If ping does not work, you likely have it disabled on at least one of the interface set- tings, and security policies for that interface.

Both ping and traceroute require particular ports to be open on firewalls, or else they cannot function. Since you typically use these tools to troubleshoot, you can allow them in the security policies and on interfaces only when you need them, and otherwise keep the ports disabled for added security.

 

Ping

The ping command sends a very small packet to the destination, and waits for a response. The response has a timer that may expire, indicating the destination is unreachable. The behavior of ping is very much like a sonar ping from a submarine, where the command gets its name.

Ping is part of Layer-3 on the OSI Networking Model. Ping sends Internet Control Message Protocol (ICMP) “echo request” packets to the destination, and listens for “echo response” packets in reply. However, many public networks block ICMP packets because ping can be used in a denial of service (DoS) attack (such as Ping of Death or a smurf attack), or by an attacker to find active locations on the network. By default, FortiGate units have ping enabled while broadcast-forward is disabled on the external interface.

 

What ping can tell you

Beyond the basic connectivity information, ping can tell you the amount of packet loss (if any), how long it takes the packet to make the round trip, and the variation in that time from packet to packet.

If there is some packet loss detected, you should investigate the following:

  • Possible ECMP, split horizon, or network loops.
  • Cabling to ensure no loose connections.
  • Verify which security policy was used (use the packet count column on the Policy & Objects > Policy page). If there is total packet loss, you should investigate the following:
  • Hardware — ensure cabling is correct, and all equipment between the two locations is accounted for.
  • Addresses and routes — ensure all IP addresses and routing information along the route is configured as expected.
  • Firewalls — ensure all firewalls, including FortiGate unit security policies allow PING to pass through.

 

How to use ping

Ping syntax is the same for nearly every type of system on a network.

 

To ping from a FortiGate unit

1. Connect to the CLI either through telnet or through the CLI widget on the web-based manager dashboard.

2. Enter exec ping 11.101.101 to send 5 ping packets to the destination IP address. There are no options for this command.

 

Sample output:

Head_Office_620b # exec ping 10.11.101.101

PING 10.11.101.101 (10.11.101.101): 56 data bytes

64 bytes from 10.11.101.101: icmp_seq=0 ttl=255 time=0.3 ms

64 bytes from 10.11.101.101: icmp_seq=1 ttl=255 time=0.2 ms

64 bytes from 10.11.101.101: icmp_seq=2 ttl=255 time=0.2 ms

64 bytes from 10.11.101.101: icmp_seq=3 ttl=255 time=0.2 ms

64 bytes from 10.11.101.101: icmp_seq=4 ttl=255 time=0.2 ms

— 10.11.101.101 ping statistics —

5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 0.2/0.2/0.3 ms

 

To ping from an MS Windows PC

1. Open a command window.

  • In Windows XP, select Start > Run, enter cmd, and select OK.
  • In Windows 7, select the Start icon, enter cmd in the search box, and select cmd.exe from the list.

2. Enter ping 11.101.100 to ping the default internal interface of the FortiGate unit with four packets.

Other options include:

  • -t to send packets until you press “Control-C”
  • -a to resolve addresses to domain names where possible
  • -n X to send X ping packets and stop

Sample output:

C:\>ping 10.11.101.101

Pinging 10.11.101.101 with 32 bytes of data:

Reply from 10.11.101.101: bytes=32 time=10ms TTL=255

Reply from 10.11.101.101: bytes=32 time<1ms TTL=255

Reply from 10.11.101.101: bytes=32 time=1ms TTL=255

Reply from 10.11.101.101: bytes=32 time=1ms TTL=255

Ping statistics for 10.11.101.101:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 10ms, Average = 3ms

 

To ping from a Linux PC

1. Go to a shell prompt.

2. Enter “ping 11.101.101”.

 

Traceroute

Where ping will only tell you if it reached its destination and came back successfully, traceroute will show each step of its journey to its destination and how long each step takes. If ping finds an outage between two points, traceroute can be used to locate exactly where the problem is.

 

What is traceroute

Traceroute works by sending ICMP packets to test each hop along the route. It will send out three packets, and then increase the time to live (TTL) setting by one each time. This effectively allows the packets to go one hop farther along the route. This is the reason why most traceroute commands display their maximum hop count before they start tracing the route — that is the maximum number of steps it will take before declaring the destination unreachable. Also, the TTL setting may result in steps along the route timing out due to slow responses. There are many possible reasons for this to occur.

By default, traceroute uses UDP datagrams with destination ports numbered from 33434 to 33534. The traceroute utility usually has an option to specify use of ICMP echo request (type 8) instead, as used by the Windows tracert utility. If you have a firewall and if you want traceroute to work from both machines (Unix-like systems and Windows) you will need to allow both protocols inbound through your FortiGate security policies (UDP with ports from 33434 to 33534 and ICMP type 8).

You can also use the packet count column of the Policy & Objects > Policy page to track traceroute packets. This allows you to verify the connection, but also confirm which security policy the traceroute packets are using.

 

What traceroute can tell you

Ping and traceroute have similar functions—to verify connectivity between two points. The big difference is that traceroute shows you each step of the way, where ping does not. Also, ping and traceroute use different protocols and ports, so one may succeed where the other fails.

You can verify your DNS connection using traceroute. If you enter an FQDN instead of an IP address for the traceroute, DNS will try to resolve that domain name. If the name does not get resolved, you know you have DNS issues.

 

How to use traceroute

The traceroute command varies slightly between operating systems. Note that in MS Windows the command name is shortened to “tracert”. Also, your output will list different domain names and IP addresses along your route.

 

To use traceroute on an MS Windows PC

1. Open a command window.

  • In Windows XP, select Start > Run, enter cmd, and select OK.
  • In Windows 7, select the Start icon, enter cmd in the search box, and select cmd.exe from the list.

2. Enter “tracert com” to trace the route from the PC to the Fortinet web site.

Sample output:

C:\>tracert fortinet.com

Tracing route to fortinet.com [208.70.202.225]

over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 172.20.120.2

2 66 ms 24 ms 31 ms 209-87-254-xxx.storm.ca [209.87.254.221]

3 52 ms 22 ms 18 ms core-2-g0-0-1104.storm.ca [209.87.239.129]

4 43 ms 36 ms 27 ms core-3-g0-0-1185.storm.ca [209.87.239.222]

5 46 ms 21 ms 16 ms te3-x.1156.mpd01.cogentco.com [38.104.158.69]

6 25 ms 45 ms 53 ms te8-7.mpd01.cogentco.com [154.54.27.249]

7 89 ms 70 ms 36 ms te3-x.mpd01.cogentco.com [154.54.6.206]

8 55 ms 77 ms 58 ms sl-st30-chi-.sprintlink.net [144.232.9.69]

9 53 ms 58 ms 46 ms sl-0-3-3-x.sprintlink.net [144.232.19.181]

10 82 ms 90 ms 75 ms sl-x-12-0-1.sprintlink.net [144.232.20.61]

11 122 ms 123 ms 132 ms sl-0-x-0-3.sprintlink.net [144.232.18.150]

12 129 ms 119 ms 139 ms 144.232.20.7

13 172 ms 164 ms 243 ms sl-321313-0.sprintlink.net [144.223.243.58]

14 99 ms 94 ms 93 ms 203.78.181.18

15 108 ms 102 ms 89 ms 203.78.176.2

16 98 ms 95 ms 97 ms 208.70.202.225

Trace complete.

 

The first, or the left column, is the hop count, which cannot go over 30 hops. When that number is reached, the traceroute ends.

The second, third, and fourth columns display how much time each of the three packets takes to reach this stage of the route. These values are in milliseconds and normally vary quite a bit. Typically a value of <1ms indicates a local connection.

The fifth, or the column farthest to the right, is the domain name of that device and its IP address or possibly just the IP address.

 

To perform a traceroute on a Linux PC

1. Go to a command line prompt.

2. Enter “traceroute com”.

The Linux traceroute output is very similar to the MS Windows tracert output.

 

To perform a traceroute from the FortiGate

1. Connect to the CLI either through telnet or through the CLI widget on the web-based manager dashboard.

2. Enter exec traceroute fortinet.com to trace the route to the destination IP address. There are no options for this command.

Output appears as follows:

# execute traceroute www.fortinet.com

traceroute to www.fortinet.com (66.171.121.34), 32 hops max, 84 byte packets

1 172.20.120.2 0.637 ms 0.653 ms 0.279 ms

2 209.87.254.221 <static-209-87-254-221.storm.ca> 2.448 ms 2.519 ms 2.458 ms

3 209.87.239.129 <core-2-g0-2.storm.ca> 2.917 ms 2.828 ms 9.324 ms

4 209.87.239.199 <core-3-bdi1739.storm.ca> 13.248 ms 12.401 ms 13.009 ms

5 216.66.41.113 <v502.core1.tor1.he.net> 17.181 ms 12.422 ms 12.268 ms

6 184.105.80.9 <100ge1-2.core1.nyc4.he.net> 21.355 ms 21.518 ms 21.597 ms

7 198.32.118.41 <ny-paix-gni.twgate.net> 83.297 ms 84.416 ms 83.782 ms

8 203.160.228.217 <217-228-160-203.TWGATE-IP.twgate.net> 82.579 ms 82.187 ms 82.066 ms

9 203.160.228.229 <229-228-160-203.TWGATE-IP.twgate.net> 82.055 ms 82.455 ms 81.808 ms

10 203.78.181.2 82.262 ms 81.572 ms 82.015 ms

11 203.78.186.70 83.283 ms 83.243 ms 83.293 ms

12 66.171.127.177 84.030 ms 84.229 ms 83.550 ms

13 66.171.121.34 <www.fortinet.com> 84.023 ms 83.903 ms 84.032 ms

14 66.171.121.34 <www.fortinet.com> 83.874 ms 84.084 ms 83.810 ms