Reason why the firewall does not display the IP address in the tracert output


By CLI command, from the system view, execute:
icmp ttl-exceeded send - By default, an interface is disabled to send ICMP Time Exceeded message;
icmp host-unreachable send - this command enables transmitting the ICMP host-unreachable packets;
undo firewall defend tracert enable - if (firewall defend tracert enable) command is configured, a FW discards ICMP timeout packets, UDP timeout packets, or destination port unreachable packets.

Other related questions:
Reason why the firewall displays the FIB timeout log
It is normal for the firewall to display the following information: 2010-04-08 16:48:35 CS-NGFW-1 FIB timer 385 timeout! 2010-04-08 16:48:30 CS-NGFW-1 FIB timer 938 timeout! 2010-04-08 16:48:25 CS-NGFW-1 FIB timer 213 timeout! 2010-04-07 16:48:35 CS-NGFW-1 FIB timer 837 timeout! 2010-04-07 16:48:30 CS-NGFW-1 FIB timer 573 timeout! 2010-04-07 16:48:25 CS-NGFW-1 FIB timer 427 timeout! 2010-04-06 16:48:35 CS-NGFW-1 FIB timer 791 timeout! 2010-04-06 16:48:30 CS-NGFW-1 FIB timer 841 timeout! 2010-04-06 16:48:25 CS-NGFW-1 FIB timer 400 timeout! This is a normal phenomenon. The firewall updates and displays log information every 24 hours, which ensures that the control and forwarding planes have synchronized routing information.

What if the firewall's IP address is not displayed when using tracert
You can run the ip ttl-expires enable command. After receiving the ICMP packet with the TTL being 0 from the Windows host, the firewall replies with a timeout packet. Then, the IP address of the firewall will be displayed on the Windows host.

The tracert command output does not display the IP address of a PE on the public network on an S series switch
After you perform the following operations on S series switches (except the S1700), the tracert command output does not display the IP address of a PE on the public network: 1. Run the undo ttl propagate command in the system view of the PE to set the TTL propagate mode of MPLS packets to pipe. 2. Run the reset mpls ldp command in the user view to reset MPLS LDPs.

What is the meaning of the tracert command output on an S series switch
For S series switches (except the S1700), the tracert command displays information about the path on which packets are sent from the source to the destination and checks network connectivity. When a fault occurs on the network, you can run this command to locate the fault. This command is used as follows: [HUAWEI] tracert traceroute to,max hops: 30 ,packet length: 40,press CTRL_C to break 1 23 ms 12 ms 6 ms 2 * * * 3 5 ms !<10> 5ms !<10> 6ms !<10> The command output is described as follows: 1 indicates the first-hop gateway. The sequence number increases by each hop. By default, the maximum number of hops is 30. indicates the gateway address of the first hop. The IPv4 address following the serial number of each hop is the gateway address of the hop. 23 ms 12 ms 6 ms indicates the time difference between the three sent UDP packets and the received ICMP Time Exceeded or ICMP Destination Unreachable packets. * * * indicates that no ICMP Time Exceeded packet or ICMP Destination Unreachable packet is received on the second-hop device within a specified period. ! indicates an ICMP Destination Unreachable packet. <10> indicates that the value of the Code field in the ICMP packet is 10, which means that the Destination host is administratively prohibited. There are no reachable routes between the destination host and the source address. This packet is sent by the default gateway of the destination host. For the meanings of other values of the Type and Code fields in an ICMP packet, see Chapter 6 in TCP/IP Illustration Volume I.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top