top | item 45537856

(no title)

ajd555 | 4 months ago

If a ping to a specific IP times out, I wouldn't say the IP is blocked. It could be that ICMP specifically is blocked, following some network rules on the firewall. This is pretty common in entreprise networks to not allow endpoint discovery. I could be missing something and happy to be corrected here, but I was surprised to read that.

discuss

EvanAnderson|4 months ago

I find it's important to remember, too, that a failed PING tells you nothing other than your echo request did not receive a response. If the remote host received your request, and if it responded, are both things a failed PING can't tell you, because both of those things could be true but you still end up with a failed PING.

I've seen technicians get tripped up in troubleshooting thinking that a failed PING tells them more than it does. When the possibility of asymmetric return paths is involved it's always important to remember how little a failed PING actually tells you.

jacquesm|4 months ago

And that can be a lot more subtle than you might think. I've had a persistent very hard to debug false alarm triggered on pings sometimes not making it and most of the time they did. But very rarely that would happen three times in a row and that was the threshold for raising an alarm. We spent days on this. Finally, the root cause was tracked down to a BNC 'T' connector at the back of a media adapter that filtered out the header of some percentage of ICMP packets. It is one of the weirdest IT problems I've ever encountered and it makes me wonder how much of what we rely on is actually marginal.

kulahan|4 months ago

I've always assumed that in situations like this, a traceroute is better. You can get more information simply by reaching the next stage in the trace, even if you're given zero information beyond "I'm now at the next server".

webstrand|4 months ago

I had an experience recently setting up a third-party VPN where the echo responses were being delivered to the correct (host,interface) but with the wrong destination address (not the same as made the request)

throwaway173738|4 months ago

I’ve had to explain this over and over throughout my career. The only way to know if something is accessible is to try the exact endpoint and protocol. Even application-aware firewalls will mess with things at times.

unknown|4 months ago

[deleted]

ogurechny|4 months ago

Yes, you need to test the exact protocol you want to use. This means tcping/curl, TLS with proper certificates and SNI domains, etc.

However, just as you make sure that the power supply actually supplies power before dismantling something that refuses to work down to the last washer, repairing network problems should start with the basics. Simple test that does not work, or shows something nonsensical, is a great hint that you forgot something, or should start digging elsewhere.

VladVladikoff|4 months ago

Yeah, ICMP tunnelling is also a common bypass method for captive networks, so simply blocking all ICMP seems logical.

EvanAnderson|4 months ago

Every time I've had to fight with path MTU discovery not working I've cursed the people who block all ICMP, though. If ICMP echo / echo-reply is the problem just block that. At the very least, allow destination unreachable / fragmentation needed thru (type 3, code 4).

_trampeltier|4 months ago

In my old company it was the oposite. Ping worked allways, even when you where blocked on to a specific VLAN.

EvanAnderson|4 months ago

I've worked in gigs that wanted that. They were all about segmentation, but wanted ICMP echo / response available throughout.

Edit: I wonder if any "enterprise" firewalls do ICMP echo proxying. Having the firewall replace the payload would remove some of the tunneling capability (thought I assume you could still finagle a side channel by just timing the packets) but would also eliminate some of the utility (since being able to craft the payload provides a way to test for specific bit patterns in packets causing problems).