Results 1 to 4 of 4
  1. #1
    Join Date
    Jan 2018

    Default TCP traceroute troubleshooting

    I am getting different traceroute results depending on whether I execute the traceroute from the NGFW or a machine behind the NGFW.

    For example: (The actual destination address has been changed for privacy)
    From the NGFW:
    [root@gw] ~ # traceroute -Tp 22
    traceroute to (, 30 hops max, 60 byte packets
     1  * * *
     2 (  2.882 ms  4.343 ms (  3.285 ms
     3  0.ae2.BR1.IAD8.ALTER.NET (  4.248 ms  3.632 ms  4.113 ms
     4  * * *
     5  * * *
     6 (  4.438 ms  6.578 ms  6.034 ms
     7 (  5.062 ms  4.774 ms  4.040 ms
     8 (  4.558 ms (  3.535 ms  5.516 ms
     9 (  28.550 ms  28.263 ms (  3.789 ms
    10  . (  4.713 ms  4.528 ms  3.465 ms
    11  * * *
    12  . (  3.846 ms  4.286 ms  4.244 ms
    From a host behind the NGFW:
    [root@server ~]# traceroute -Tp 22
    traceroute to (, 30 hops max, 60 byte packets
     1 (  1.016 ms  0.948 ms  1.576 ms
     2  . (  14.183 ms  11.449 ms  11.323 ms
    Historically when I have seen traceroutes like this one the route is going through a tunnel/vpn. However there are no tunnels/VPNs between these locations.

    Are one or more of the APPS on the NGFW encapsulating the packets? How can I get the same results from hosts behind the NGFW as I do from the NGFW itself?


  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Phoenix, AZ


    Untangle routes according to its own routing table.

    The clients route according to their own routing table.

    Assuming the client is using Untangle as the router in question, things match.

    So, is Untangle

    You're right that VPN tunnels will change things, because matched traffic will find a tunnel and change course. But any other routing changes on Untangle will cause Untangle itself to use that same path too. Unless you've recently added or removed a VPN? Sometimes you have to reboot Untangle to get that change to sink in consistently.
    Rob Sandling, BS:SWE, MCP
    Phone: 866-794-8879 x201

  3. #3
    Join Date
    Jan 2018


    Thank you for responding. My apologizes for not being clear. is the internal interface of the NGFW. I do not have any VPN/Tunnels enabled on either the NGFW or the client.

    The routing on the client is basic and sends all traffic to the NGFW.

    If the NGFW is sending the traffic to a tunnel, what is the tunnel? Is there someway to configure traceroute traffic to by-pass the tunnel or what ever it is going through?

  4. #4
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Lake Tahoe


    Traceroute is based on response from upstream switches. The client behind NGFW is traveling across a NAT interface (LAN to WAN) therefore the client will not receive all the upstream traces due to NAT. Frankly traceroute is not very useful as the path displayed is not 100% accurate.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

SEO by vBSEO 3.6.0 PL2