Strange ping results – please advice

I would like to ask you to help me in interpretation of following results from ping command.

Basically under 12.12.12.12 IP address is external firewall which protects WEB servers. Servers are very busy and I would understand delays in response but my problem is if it is normal that you receive very short response time and after that no response at all. I would expect that response time should be longer but maybe I’m wrong. Could you advice please? I wonder if I have network problem.

Best Regards

Reply from 12.12.12.12: bytes=32 time=4ms TTL=60
Reply from 12.12.12.12: bytes=32 time=6ms TTL=60
Reply from 12.12.12.12: bytes=32 time=5ms TTL=60
Request timed out.
Reply from 12.12.12.12: bytes=32 time=4ms TTL=60
Reply from 12.12.12.12: bytes=32 time=4ms TTL=60
Reply from 12.12.12.12: bytes=32 time=5ms TTL=60
Reply from 12.12.12.12: bytes=32 time=5ms TTL=60
Request timed out.
Request timed out.
Reply from 12.12.12.12: bytes=32 time=3ms TTL=60
Request timed out.
Reply from 12.12.12.12: bytes=32 time=7ms TTL=60
Request timed out.
Reply from 12.12.12.12: bytes=32 time=10ms TTL=60
Request timed out.
Request timed out.
Reply from 12.12.12.12: bytes=32 time=5ms TTL=60
Request timed out.
Reply from 12.12.12.12: bytes=32 time=12ms TTL=60
Request timed out.
Reply from 12.12.12.12: bytes=32 time=4ms TTL=60
Reply from 12.12.12.12: bytes=32 time=5ms TTL=60
Reply from 12.12.12.12: bytes=32 time=5ms TTL=60

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

Forsaken_GA

It's hard to say without knowing the layout of your network, and what all is involved. If the web server is too busy to answer the packet, it's likely dropping it, in which case you will not receive a response. It's also possible your firewall is rate limiting ICMP

PiotrIr

Many thanks for your reply.

My server can’t be too busy to response because I’m pinging directly firewall – is it possible that firewall is too busy? Anyway is it possible that internet bandwidth is too small in this case? Suggestion with limitation of ICMP rate is quite interesting; however users are having problems with connections so I believe it something more hmm.
Any suggestions how to troubleshooting problem like that? I realize it may be very difficult and complex.

Once again many thanks for your help,

RobertKaucher

PiotrIr wrote: »

Many thanks for your reply.

My server can’t be too busy to response because I’m pinging directly firewall – is it possible that firewall is too busy? Anyway is it possible that internet bandwidth is too small in this case? Suggestion with limitation of ICMP rate is quite interesting; however users are having problems with connections so I believe it something more hmm.
Any suggestions how to troubleshooting problem like that? I realize it may be very difficult and complex.

Once again many thanks for your help,

Make sure the physical medium is ok. I had similar issues with a VPN connection not that long ago. At first I thought the issue was just a bad DSL connection, but with more digging I discovered there was actually a signal issue with the cable Internet on the other side of the connection.

I assume your setup is something like this?

DMZ

|Firewall|

Internal Network
.................. |
.................. |
............... Internet

Ping the firewall from both the internal and DMZ. Do you get the same result?
The firewall should have some way to view its statistics. If it is a cisco system you can probably use something like show interfaces ethernet 0/0
I am not very good with Cisco equipment, but I believe that would show some of the info you would need for looking into this. The Cisco guys would be able to tell you more.

Hyper-Me

Well you have to remember that ICMP traffic is very low priority and if the servers are that busy, the packets could be discarded.

However, normally when i see this ping behavior its when we have a physical network issue. Bad cable, bad fabric backbone, bad fiber, etc.

Forsaken_GA

PiotrIr wrote: »

Many thanks for your reply.

My server can’t be too busy to response because I’m pinging directly firewall – is it possible that firewall is too busy? Anyway is it possible that internet bandwidth is too small in this case? Suggestion with limitation of ICMP rate is quite interesting; however users are having problems with connections so I believe it something more hmm.
Any suggestions how to troubleshooting problem like that? I realize it may be very difficult and complex.

Once again many thanks for your help,

I don't know how your network is connected. Is the firewall also doing the routing for those web servers? Is it taking a handoff directly from a transit provider? It's very easy to say check the physical medium, but 12.12.12.12 is a live, routeable IP, and since it's a firewall, it could very well be a border device. If it is, I'd doubt it's the fiber. If you have access to the facility where it's at, by all means, replace the jumper and see if that fixes the problem, otherwise the culprit is probably going to be the firewall itself. Have you checked the logs to see if they can give you a hint as to what's up?

PiotrIr

Many thanks for your replies.

Ok so basically configuration is I believe quite complex. I have two Juniper firewalls in cluster so basically first one has IP address 12.12.12.10 second 12.12.12.11 and cluster (or whatever fail over solution for firewalls is called) 12.12.12.12. When I ping 12.12.12.10 and 12.12.12.12 I’m getting results like above. When I ping 12.12.12.11 I have no connectivity problem.

The Firewall does NAT for WEB servers but using different addresses than above.
I also have done the test outside working hours and loosing packets was very, very really.
Unfortunately border device is out of my control as they are owned by hosing centre (to be honest firewalls as well because we have third party company which manage them). I don’t want to log a call with them before will be able to improve that problem is not in bandwidth.

Is any external test which I can do and give me some information? I did pathing and can see some packet lost but (6-12% depends of testing time) between border device and firewall.

Do you think it is bandwidth or network problem?

RobertKaucher

PiotrIr wrote: »

Many thanks for your replies.

Ok so basically configuration is I believe quite complex. I have two Juniper firewalls in cluster so basically first one has IP address 12.12.12.10 second 12.12.12.11 and cluster (or whatever fail over solution for firewalls is called) 12.12.12.12. When I ping 12.12.12.10 and 12.12.12.12 I’m getting results like above. When I ping 12.12.12.11 I have no connectivity problem.

The Firewall does NAT for WEB servers but using different addresses than above.

Is 10 the primary for the cluster? Check the physical medium before you go any further. Since one device is having an issue and another does not seem to be having them I would suggest the first thing you do is check the cable.

PiotrIr wrote: »

I also have done the test outside working hours and loosing packets was very, very really.

Sorry, I have no idea what you are trying to say...

PiotrIr wrote: »

Unfortunately border device is out of my control as they are owned by hosing centre (to be honest firewalls as well because we have third party company which manage them). I don’t want to log a call with them before will be able to improve that problem is not in bandwidth.

If you are unable to check the cable to be sure it is not something other than the device, you should just call the company who manages teh devices.

PiotrIr wrote: »

Do you think it is bandwidth or network problem?

I think the two theories presented by myself and Hyper-Me and Forsaken are the most likely. Either it's the physical medium or something is up with the device itself. But when faced with issues like this the first thing I always do is "check layer one."

PiotrIr

Many thanks for your reply

RobertKaucher wrote: »

Is 10 the primary for the cluster? Check the physical medium before you go any further. Since one device is having an issue and another does not seem to be having them I would suggest the first thing you do is check the cable.

It may be beacuse one is active and seccond passive.

RobertKaucher wrote: »

Sorry, I have no idea what you are trying to say....

Out of working hours there is no problem like that.

RobertKaucher wrote: »

If you are unable to check the cable to be sure it is not something other than the device, you should just call the company who manages teh devices.

Because companies often say there is no problem I prefere to check it before I will call.

RobertKaucher wrote: »

I think the two theories presented by myself and Hyper-Me and Forsaken are the most likely. Either it's the physical medium or something is up with the device itself. But when faced with issues like this the first thing I always do is "check layer one."

So can you definitely exclude bandwidth?