TraceRt problem.. only works one way? 1

[PayneMG]

I've been having an issue between my home and office computers. This all started when I was trying to set up a VPN, which I eventually did, but this problem is still bugging me. I can do a tracert from the office to my home computer no problem, but whenever I try to do it from home to work, it times out at the same place every time. Pings dont go through either. Here is the trace from work to home:

1 <1 ms <1 ms <1 ms 192.168.111.1
2 26 ms 25 ms 27 ms 151.213.32.46
3 25 ms 25 ms 24 ms 151.213.31.80
4 28 ms 27 ms 26 ms 151.213.30.238
5 27 ms 27 ms 27 ms 139.55.64.178
6 31 ms 31 ms 31 ms 12.118.224.21
7 66 ms 66 ms 65 ms 12.123.210.17
8 71 ms 69 ms 70 ms 12.122.10.46
9 70 ms 69 ms 70 ms 12.122.10.137
10 65 ms 65 ms 64 ms 12.122.12.38
11 64 ms 65 ms 64 ms 12.123.197.189
12 76 ms 75 ms 76 ms 12.124.59.114
13 75 ms 74 ms 74 ms 24.158.96.229
14 74 ms 74 ms 74 ms 24.158.96.3
15 80 ms 81 ms 80 ms 24.158.109.238
16 84 ms 83 ms 82 ms 24.159.144.19
17 91 ms 94 ms 92 ms 68.186.165.154


And home to work is this:

1 2 ms 2 ms 2 ms 68.186.165.154
2 91 ms 181 ms 182 ms 10.164.32.1
3 257 ms 244 ms 192 ms 24.159.144.10
4 136 ms 149 ms 51 ms 24.158.109.237
5 181 ms 147 ms 67 ms 24.158.96.226
6 201 ms 165 ms 152 ms 12.124.59.113
7 70 ms 70 ms 68 ms 12.123.197.190
8 174 ms 145 ms 110 ms 12.122.12.37
9 121 ms 132 ms 95 ms 12.122.10.138
10 263 ms 251 ms 141 ms 12.122.10.45
11 266 ms 188 ms 160 ms 12.123.210.18
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.

It doesn't matter how long I set the timeout or how many hops (I've tried up to 20 seconds/50 hops), it always stops at number 11 on the list, which has an att.net host name, so I assume its part of ATT's network and there's nothing I can do to get it fixed. However, is there a way I can specify the correct route by using the one that works (office->home)?

 

[LawnBoy]

You shouldn't try to specify a route. Internet routing changes dynamically, you can't count on a particular route to always be there.

 

[Grenage]

Is this bugging you because you simply can't ping, or is it stopping data from getting to the workplace?

It's not that uncommon for pings to be blocked, what is the problem?


Carlsberg don't run I.T departments, but if they did they'd probably be more fun.

 

[chieftan]

Could be that this particular Firewall / Router is not allowing ICMP (Internet Control messaging Protocol) through, and ICMP is what tracert and ping uses.

As GRENAGE says above, if it is not blocking network traffic (other than ICMP) then what is the problem?

 

[PayneMG]

Well it started because I was trying to start a VPN tunnel TO the office, but it never would connect, but it did when I reversed it and tunneled TO the house. I also cant do remote desktop or access a web server or anything like that unless I first establish a VPN tunnel from the office and use the "local" IPs. So yes, it seems to be stopping traffic, but only one direction.

 

[LawnBoy]

Your traffic is probably being stopped by your corporate firewall.

 

[PayneMG]

It isn't getting to the firewall at work. The traffic stops at an att.net address (12.123.210.18) or whatever is suppose to be after that in the route. After AT&T's computers, it should go to a set of Alltel.net addresses which is the ISP we use at work. Is there some way to specify a certain route for my traffic and then maybe the routers along the path will pick it up as the alternate route around the unresponsive computer?

 

[LawnBoy]

Your vpn is working, right? That means the route is good. The router you're worried about is not broken, it simply doesn't reply to ping or tracert queries (why att would set it up that way is anybody's guess).

Firewalls are put in place to stop exactly what you're trying to do. Imagine the chaos if anybody on the internet could remote desktop or browse servers on the corporate network. Since the firewall doesn't know who you are, it won't let you make those connections either.

There is no way for your PC to specify which route the data takes on the internet. "Internet routing changes dynamically, you can't count on a particular route to always be there."

 

[PayneMG]

The VPN works one direction; that is, I can initiate it from only one side, the office side. Once I establish the tunnel, I can communicate both ways, which I assume is because both computers are using the same (working) path. By default, the path from home to work is not valid.

Right now my VPN router is sitting at my house and I can tunnel TO it from here. Before, I had the VPN Router here and I could NOT tunnel to it from my house, so I took the router home for troubleshooting since my pings and traces weren't getting through either.

I understand that the routes change dynamically, what I'm asking is if there isn't a way to force it to consider finding a different path, since I know there IS a path between these points that works properly? From what I understand, the last router that my trace hits should be responsible for finding a path to the next one, so if I were to hit it with a request that it CAN find on the path I need, it should update its routing table right? Or am I totally missing the train here?

 

[LawnBoy]

The VPN works one direction; that is, I can initiate it from only one side, the office side.

That's how a firewall works.

 

[chieftan]

The firewall may well let you initiate the VPN tunnel from work because your IP scheme may be accepted by the firewall rules, however, you are probably getting as different address at home and maybe the rules are not there for that network.
To find that out :-

Get your IP address assigned when at home.
Find who ver looks after the Corporate network firewalls and get them to check the rulebase.
Ask them if they can add that one entry in for you to test at home.

The router that the tracert and ping stops at is not necessarily the device that is causing the VPN to not initiate (as the VPN works the other way). It is probably just set to not allow ICMP through.

There is no way that you can force a route for tunneling through the routers that make up the backbone of the Internet unless you own all of them and can control the routing tables.....

 

[PayneMG]

I am the network admin at work, so I can make any changes I need to fix this. Is there a different way to verify the route besides using ICMP? Like a TCP tracert? Or perhaps some other way to see where and why exactly the VPN tunnel (using TCP/UDP) is failing?

 

[PayneMG]

By the way, in case I made it unclear, I used the same router to try the connection on both ends, so it can't be an issue with the router blocking the connection. The opposite end each time has been a Linksys router that does support VPN passthrough. The only difference in the home and office connections would be that home is cable and office is DSL, and I've already checked and set the MTUs appropriately for each.

 

[castlesmadeofsand]

You can telnet the WAN side of your network, but password protect it, of course. What kind of router do you use for your gateway, or o you use the dsl modem?

 

[LawnBoy]

Telnet sends passwords in plain text, and has a dozen other security flaws. Never ever setup a telnet listener on an internet facing connection, it will be compromised in minutes.

 

[PayneMG]

Just as an update to this, I finally got it to connect from home->work using ProSafe client. I haven't a clue what I did to "fix" it, but it suddenly works now and I can transfer files and share printers and such. Thanks to everyone who tried to help me even though I was barking up the wrong tree, so to speak.

 

[LawnBoy]

Very Odd. What client were you using?

Glad you got it sorted.

 

[PayneMG]

I was using ProSafe all along but for whatever reason it just started working. The tracert still does the same thing so maybe there was another problem along the line somewhere? Who knows, I'm just glad that it works now!