Thursday, April 21, 2011

Tracert vs. Telnet to check website connectivity

On diagnosing a problem connecting to a website I have a tracert that appears to fail at an intermediary server (not the target domain) but a Telnet to the target domain completes. Is it possible for the domain where the tracert stops to be filtering out the IP (perhaps due to out of date bogon filter) but for Telnet to go through, or is completion of the Telnet an indication that the problem is at the target domain? Thanks.

Reply 1 : Tracert vs. Telnet to check website connectivity

More than likely there is a firewall that is blocking the traceroute. Because people can run denial of service attacks a lot of firewalls block ping and traceroute. Even seeing * at intermediate nodes means little other than the device refuses to respond.
If telnet works it means end to end there is a valid connection.

Reply 2 : Tracert vs. Telnet to check website connectivity

I did know that rcmp packets are often not acknowledged but are still passed through. In this case the tracert did not just go to asterisks for a few hops but ended before the target. Seems strange that telnet can get through but I will request the admin at the target domain to take another look - said it's not them initially.

Reply 3 : Tracert vs. Telnet to check website connectivity

The key is understanding what exactly is being send back. The entries in traceroute are messaged that say time to live exceeded. A traceroute will end when it sees a port unreachable message. A firewall can either just drop the traffic and say nothing and you will get row after row of star entries or it can send back a unreachable message even though it is a lie.
When you get a firewall in the path you cannot trust the output of many diagnostic tools.

The symptom you talk about also happens when you pass though a nat router or many types of load balances that share addresses with multiple machines. Since telnet and traceroute use different ports the router/load may send it to a different device of may itself respond that it does not know which terminates a traceroute.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)