next hop packet loss

Good afternoon. I am a newbie to this group, and this post is my first
post ever. A friend from another list recommended this group.

I have a Time Warner Business Class connection and am unable to reach
http://www.checkpoint.com to research product line I wish to carry. I
did a trace route and confirmed packets are past my network, Time Warner
network and onto next hop where they execute jump to nowhere
instruction.

Time Warner says it is off their network, and they can't help. I
received no reply from above.net next hop.

What is the best way to solve this type of problem?

Here is the tracert just now (it has been failing for weeks):

C:\Documents and Settings\jim.ray>tracert checkpoint.com

Tracing route to checkpoint.com [216.200.241.66]

over a maximum of 30 hops:

  1 52 ms 28 ms 37 ms 10.129.96.1

  2 10 ms 12 ms 16 ms ten13-0-0-238.rlghnca-rtr1.nc.rr.com
[66.26.32.2

42]

  3 16 ms 12 ms 12 ms ae19.rlghncpop-rtr1.southeast.rr.com
[24.93.64.0

]

  4 19 ms 23 ms 24 ms 107.14.19.20

  5 16 ms 19 ms 19 ms 107.14.19.133

  6 28 ms 20 ms 19 ms xe-0-1-1.er2.iad10.us.above.net
[64.125.12.61]

  7 23 ms 19 ms 19 ms xe-2-0-0.cr2.dca2.us.above.net
[64.125.31.209]

  8 74 ms 49 ms 56 ms xe-0-2-0.cr2.iah1.us.above.net
[64.125.28.50]

  9 77 ms 79 ms 79 ms xe-0-3-0.cr2.lax112.us.above.net
[64.125.30.50]

10 85 ms 86 ms 86 ms xe-1-0-0.cr2.sjc2.us.above.net
[64.125.31.233]

11 84 ms 92 ms 86 ms xe-1-1-0.er2.sjc2.us.above.net
[64.125.26.202]

12 86 ms 86 ms 105 ms 64.124.201.230.b709.above.net
[64.124.201.230]

13 * * * Request timed out.

14 * * * Request timed out.

15 * * * Request timed out.

16 * * * Request timed out.

17 * * * Request timed out.

18 * * * Request timed out.

19 * * * Request timed out.

20 * * * Request timed out.

21 * * * Request timed out.

22 * * * Request timed out.

23 * * * Request timed out.

24 * * * Request timed out.

25 * * * Request timed out.

26 * * * Request timed out.

27 * * * Request timed out.

28 * * * Request timed out.

29 * * * Request timed out.

30 * * * Request timed out.

Trace complete.

Regards,

Jim Ray, President

Neuse River Networks

2 Davis Drive, PO Box 13169

Research Triangle Park, NC 27709

919-838-1672 x100

www.NeuseRiverNetworks.com <http://www.neuserivernetworks.com/>

  <http://www.neuserivernetworks.com/>

image001.jpg

Hi Jim,

What is the best way to solve this type of problem?

It's not a problem, it's checkpoint purporting to be 'secure' when all they're doing is blocking ICMP outright, seemingly.

If I try 'tcptraceroute' (from Linux) it works just fine, bare the Above.net hop in the middle that doesn't respond - ignore.

$ sudo tcptraceroute -n checkpoint.com
traceroute to checkpoint.com (216.200.241.66), 30 hops max, 60 byte packets
  1 81.187.203.81 0.719 ms 1.050 ms 1.298 ms
  2 90.155.53.54 30.184 ms 31.604 ms 32.370 ms
  3 90.155.53.43 33.891 ms 35.072 ms 36.021 ms
  4 85.91.238.217 37.016 ms 38.236 ms 39.215 ms
  5 85.91.224.10 40.226 ms 41.358 ms 42.354 ms
  6 212.187.200.145 164.713 ms 164.102 ms 164.020 ms
  7 4.69.139.99 45.316 ms 194.042 ms 194.088 ms
  8 64.125.14.17 194.297 ms 193.943 ms 193.558 ms
  9 64.125.31.198 194.304 ms 194.462 ms 193.560 ms
10 * * *
11 64.125.26.37 288.267 ms 284.237 ms 166.340 ms
12 64.125.24.38 178.571 ms 179.467 ms 156.769 ms
13 64.125.28.238 148.002 ms 147.244 ms 147.501 ms
14 64.125.26.141 206.010 ms 205.574 ms 205.426 ms
15 64.125.28.57 201.753 ms 172.439 ms 174.169 ms
16 64.124.201.230 176.866 ms 172.412 ms 172.510 ms
17 208.185.174.208 173.668 ms 174.310 ms 173.999 ms
18 216.200.241.66 <syn,ack> 172.504 ms 172.386 ms 172.700 ms

Tom

It is a problem with http protocol regardless of ICMP.

Well, you haven't provided any proof of that. Their website works just
fine for me (TM).

Since your troubleshooting is limited to methods that are blocked by
Checkpoint's network, you might need to revisit how you're going about
diagnosing the problem you're facing.

In any case, I won't be providing any further input following that response.

Tom

Sorry, I do not give verbose responses via iPhone on that small device
with my tired old eyes. I ran Wireshark this morning.

Without sniffing packets, the layman's description of problem is "I
can't get to vendor web site, http://www.CheckPoint.com, on Time Warner
Business Class network I use." Hence, http is blocked in addition to
ICMP.

It is what it is. Personally, I plan to use the phone to reach Check
Point since TCP/IP won't work. I also got call back from top local
executive at Time Warner this morning that has known me 17 years,
understands the problem and is trying to help. Again, no emergency here.
Still, I would like it to work and pay extra to have the commercial
connection with service level agreement.

Regards,

Jim Ray, President
Neuse River Networks
2 Davis Drive, PO Box 13169
Research Triangle Park, NC 27709
919-838-1672 x100
www.NeuseRiverNetworks.com

That's an artifact of Checkpoint blocking pings. Note the difference
between ICMP and TCP-based traceroutes:

traceroute -I 216.200.241.66
traceroute to 216.200.241.66 (216.200.241.66), 30 hops max, 60 byte packets
1 sark.dirtside.com (70.182.189.216) 0.462 ms 0.494 ms 0.555 ms
2 10.1.192.1 (10.1.192.1) 9.023 ms 9.197 ms 9.247 ms
3 ip72-196-255-1.dc.dc.cox.net (72.196.255.1) 15.210 ms 15.497 ms 15.548 ms
4 mrfddsrj01gex070003.rd.dc.cox.net (68.100.0.141) 13.594 ms
13.765 ms 13.817 ms
5 68.1.4.139 (68.1.4.139) 14.752 ms 15.016 ms 14.951 ms
6 ge-8-0-7.er2.iad10.us.above.net (64.125.12.241) 15.075 ms 9.565
ms 9.384 ms
7 xe-5-1-0.cr2.dca2.us.above.net (64.125.29.77) 33.238 ms 26.629
ms 26.554 ms
8 xe-2-2-0.cr2.iah1.us.above.net (64.125.30.53) 45.079 ms 45.230
ms 45.264 ms
9 xe-0-3-0.cr2.lax112.us.above.net (64.125.30.50) 75.982 ms 76.212
ms 76.154 ms
10 xe-2-1-0.cr2.sjc2.us.above.net (64.125.26.30) 93.901 ms 94.044
ms 88.715 ms
11 xe-1-1-0.er2.sjc2.us.above.net (64.125.26.202) 88.542 ms 88.885
ms 90.094 ms
12 64.124.201.230.b709.above.net (64.124.201.230) 89.691 ms 89.060
ms 88.895 ms
13 * * *
14 * * *
15 * * *

traceroute -T -p 80 216.200.241.66
traceroute to 216.200.241.66 (216.200.241.66), 30 hops max, 60 byte packets
1 sark.dirtside.com (70.182.189.216) 0.487 ms 0.520 ms 0.568 ms
2 10.1.192.1 (10.1.192.1) 20.018 ms 24.851 ms 25.144 ms
3 ip72-196-255-1.dc.dc.cox.net (72.196.255.1) 25.415 ms 25.502 ms 25.591 ms
4 mrfddsrj01gex070003.rd.dc.cox.net (68.100.0.141) 25.139 ms
25.178 ms 25.260 ms
5 68.1.4.139 (68.1.4.139) 37.509 ms 37.437 ms 37.362 ms
6 ge-5-3-0.mpr2.iad10.us.above.net (64.125.13.57) 91.097 ms 89.808
ms ge-8-0-7.er2.iad10.us.above.net (64.125.12.241) 24.078 ms
7 xe-5-1-0.cr2.dca2.us.above.net (64.125.29.77) 26.324 ms 11.950
ms 12.477 ms
8 xe-2-2-0.cr2.iah1.us.above.net (64.125.30.53) 74.680 ms 74.575
ms 74.355 ms
9 xe-0-3-0.cr2.lax112.us.above.net (64.125.30.50) 76.781 ms 76.330
ms 76.118 ms
10 xe-2-1-0.cr2.sjc2.us.above.net (64.125.26.30) 100.310 ms 100.026
ms 98.495 ms
11 xe-1-1-0.er2.sjc2.us.above.net (64.125.26.202) 98.631 ms 93.570
ms 94.380 ms
12 64.124.201.230.b709.above.net (64.124.201.230) 94.420 ms 97.053
ms 95.015 ms
13 208.185.174.208 (208.185.174.208) 96.208 ms 96.541 ms 96.384 ms
14 www.checkpoint.com (216.200.241.66) 97.406 ms 97.534 ms 97.891 ms

Since you get all the way to the Checkpoint border, try some basic
diagnostics like:

telnet www.checkpoint.com 80
GET / HTTP/1.1
Host: www.checkpoint.com

Wait for the telnet to succeed before you type GET. Make sure you
press enter twice after the last line. You're hand-jamming an HTTP
request.

If you don't connect then checkpoint is blocking your IP address for
one reason or another. Maybe there are hackers in your neighborhood.
Take it up with them by phone.

If you do connect but get no response to the "get" http request then
most likely checkpoint is blocking all ICMP packets and your path MTU
is smaller than 1500 bytes. The ICMP block prevents the fragmentation
needed message from reaching their web server, so it never figures out
it needs to shorten its packets. If, as a firewall company, they have
made this beginner mistake... 'nuff said.

And of course if you do get complete content back from the web server
then you have some other problem with your PC that's getting in the
way.

Regards,
Bill Herrin

Yesterday, Check Point's website was unreachable from other parts of
the world for some time with intermittent access for around an hour or
so I believe.

Eugeniu

They've had me blocked for a few weeks now. I've always been able to
reach it on Verizon network with iPhone, just not with Time Warner
Business Class.

I plan to take advice from kind members of group that offered it and
investigate a little more with Wireshark yet have been in middle of
client migration of aging Exchange 2003 server to 2010 version in the
cloud since Friday. http://www.CheckPoint.com can wait. I had a great
face to face meeting with person from another UTM company this morning
http://www.sophos.com

Regards,

Jim Ray, President
Neuse River Networks
2 Davis Drive, PO Box 13169
Research Triangle Park, NC 27709
919-838-1672 x100
www.NeuseRiverNetworks.com

telnet www.checkpoint.com 80
GET / HTTP/1.1
Host: www.checkpoint.com

...resolved some information and then lost connection according to this
trailer from the screen scrape:

      <!-- Column 2 -->
      <div class="column">
        <!--- <h2><a
href="https://supportcenter.checkpoint.com/supportcenter/p
ortal?ev

Connection to host lost.

Site resolves fine on Verizon network with my iPhone and not on Time
Warner network. Maybe Check Point is mad because my network is behind a
Sonic Wall and not their product.

Regards,

Jim Ray, President
Neuse River Networks
2 Davis Drive, PO Box 13169
Research Triangle Park, NC 27709
919-838-1672 x100
www.NeuseRiverNetworks.com

Hi Jim,

Immediately lost or lost after a couple of minutes of no output?

If there's a long delay, see path mtu detection in my prior post. If not...

If immediate, try it from in front of the sonic wall instead of behind
it. If it works, your sonic wall is malfunctioning (maybe Sonic Wall
is mad that you're checking out a competitor :wink: ). If you get the same
result (lose the connection 75% of the way through), dig out wireshark
and see what packets you send and receive right around the connection
lost. It would help to know whether you're getting a TCP FIN, a TCP
RST or a destination unreachable, and if the latter which one and from
what IP.

Regards,
Bill Herrin