Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Traceroute on Sophos XG

Hi.

How is possible active traceroute in Sophos XG, in the last models exist one part on activate or desactivate this options but in the XG i don't see any check for this purposal. 

My hosts are reachable from ping but when i launch traceroute always the last hop is sophos and i not view any hop after firewall.

 



This thread was automatically locked due to age.
Parents
  • Traceroute uses ICMP calls to find the hosts.

    https://en.wikipedia.org/wiki/Traceroute

    So basically your Client tries to reach every hop via ICMP. If the last station is XG, it seems like XG is blocking your ICMP requests. Do you have a firewall rule to allow this client to use ICMP ? 

    __________________________________________________________________________________________________________________

  • I remember on v15 or v16 to have the same issue. Depending on the OS you are performing the tests from.

    In my case, Mac OS, traceroute does not work even if I create an ICMP firewall rule at the top.

    Here the tcpdump result:

    19:20:37.858433 Port1, IN: IP 192.168.0.8.33641 > 8.8.8.8.33435: UDP, length 24
    19:20:37.858588 Port1, OUT: IP 192.168.0.1 > 192.168.0.8: ICMP time exceeded in-transit, length 60

    19:20:37.865663 Port1, IN: IP 192.168.0.8.33641 > 8.8.8.8.33436: UDP, length 24
    19:20:37.865805 Port1, OUT: IP 192.168.0.1 > 192.168.0.8: ICMP time exceeded in-transit, length 60
    19:20:37.867118 Port1, IN: IP 192.168.0.8.33641 > 8.8.8.8.33437: UDP, length 24
    19:20:37.867249 Port1, OUT: IP 192.168.0.1 > 192.168.0.8: ICMP time exceeded in-transit, length 60
    19:20:37.868407 Port1, IN: IP 192.168.0.8.33641 > 8.8.8.8.33438: UDP, length 24

Reply
  • I remember on v15 or v16 to have the same issue. Depending on the OS you are performing the tests from.

    In my case, Mac OS, traceroute does not work even if I create an ICMP firewall rule at the top.

    Here the tcpdump result:

    19:20:37.858433 Port1, IN: IP 192.168.0.8.33641 > 8.8.8.8.33435: UDP, length 24
    19:20:37.858588 Port1, OUT: IP 192.168.0.1 > 192.168.0.8: ICMP time exceeded in-transit, length 60

    19:20:37.865663 Port1, IN: IP 192.168.0.8.33641 > 8.8.8.8.33436: UDP, length 24
    19:20:37.865805 Port1, OUT: IP 192.168.0.1 > 192.168.0.8: ICMP time exceeded in-transit, length 60
    19:20:37.867118 Port1, IN: IP 192.168.0.8.33641 > 8.8.8.8.33437: UDP, length 24
    19:20:37.867249 Port1, OUT: IP 192.168.0.1 > 192.168.0.8: ICMP time exceeded in-transit, length 60
    19:20:37.868407 Port1, IN: IP 192.168.0.8.33641 > 8.8.8.8.33438: UDP, length 24

Children