What if the firewall's IP address is not displayed when using tracert

12

You can run the ip ttl-expires enable command. After receiving the ICMP packet with the TTL being 0 from the Windows host, the firewall replies with a timeout packet. Then, the IP address of the firewall will be displayed on the Windows host.

Other related questions:
Reason why the firewall does not display the IP address in the tracert output
By CLI command, from the system view, execute: icmp ttl-exceeded send - By default, an interface is disabled to send ICMP Time Exceeded message; icmp host-unreachable send - this command enables transmitting the ICMP host-unreachable packets; undo firewall defend tracert enable - if (firewall defend tracert enable) command is configured, a FW discards ICMP timeout packets, UDP timeout packets, or destination port unreachable packets.

The tracert command output does not display the IP address of a PE on the public network on an S series switch
After you perform the following operations on S series switches (except the S1700), the tracert command output does not display the IP address of a PE on the public network: 1. Run the undo ttl propagate command in the system view of the PE to set the TTL propagate mode of MPLS packets to pipe. 2. Run the reset mpls ldp command in the user view to reset MPLS LDPs.

How does the USG firewall use the tracert command?
USG2000 & 5000 & 6000 Use the tracert command as follows: Run the tracert command on the client to detect where the network has failed. E.g: The following is an example of applying tracert to analyze the network. Tracert 35.1.1.48 Traceroute to 35.1.1.48 (35.1.1.48), 30 hops max, 56 byte packet 1 128.3.112.1 19 ms 19 ms 0 ms 2 128.32.216.1 39 ms 39 ms 19 ms 3 128.32.136.23 39 ms 40 ms 39 ms 4 128.32.168.22 39 ms 39 ms 39 ms 5 128.32.197.4 40 ms 59 ms 59 ms 6 131.119.2.5 59 ms 59 ms 59 ms 7 129.140.70.13 99 ms 99 ms 80 ms 8 129.140.71.6 139 ms 239 ms 319 ms 9 129.140.81.7 220 ms 199 ms 199 ms 10 35.1.1.48 239 ms 239 ms 239 ms From the above results can be seen from the source to reach the destination 35.1.1.48 through the gateway IP address. If the middle of a gateway timeout, it will return "***" information, according to this information to locate the location of the failure.

Method used to check the IP address conflict on the USG2000, USG5000, and USG6000
You can check the IP address conflict on the USG2000, USG5000, and USG6000 as follows: On the CLI, enter the display logbuffer command. For example: [USG5500]display logbuffer Logging buffer configuration and contents:enabled Allowed max buffer size : 1024 Actual buffer size : 1024 Channel number : 4 , Channel name : logbuffer Dropped messages : 0 Overwritten messages : 1200 Current messages : 514 %2015-04-24 10:56:26 USG5500 %%01ARP/4/DUP_IPADDR(l): Receive an ARP packet with duplicate ip address 192.168.101.207 from GigabitEthernet0/0/0, source MAC is 3400-a3d9-1897! //The conflicted address is 192.168.101.207.// %2015-04-24 10:56:21 USG5500 %%01ARP/4/DUP_IPADDR(l): Receive an ARP packet with duplicate ip address 192.168.101.207 from GigabitEthernet0/0/0, source MAC is 3400-a3d9-1897!

Method used to view the IP address of an interface on USG firewalls
The commands used to view the IP address of an interface on the USG2000, USG5000, and USG6000 are as follows: 1. Run the display ip interface brief command to view configuration information of an interface IP address. 2. Run the following commands to view the interface configuration: [Huawei] interface g0/0/1 [Huawei-GigabitEthernet0/0/1] display this

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top