telnet www.checkpoint.com 80 GET / HTTP/1.1 Host: www.checkpoint.com ...resolved some information and then lost connection according to this trailer from the screen scrape: <!-- Column 2 --> <div class="column"> <!--- <h2><a href="https://supportcenter.checkpoint.com/supportcenter/p ortal?ev Connection to host lost. Site resolves fine on Verizon network with my iPhone and not on Time Warner network. Maybe Check Point is mad because my network is behind a Sonic Wall and not their product. Regards, Jim Ray, President Neuse River Networks 2 Davis Drive, PO Box 13169 Research Triangle Park, NC 27709 919-838-1672 x100 www.NeuseRiverNetworks.com -----Original Message----- From: wherrin@gmail.com [mailto:wherrin@gmail.com] On Behalf Of William Herrin Sent: Tuesday, August 07, 2012 10:51 AM To: Jim Ray Cc: nanog@nanog.org Subject: Re: next hop packet loss On Mon, Aug 6, 2012 at 11:27 AM, Jim Ray <jim@neuse.net> wrote:
I have a Time Warner Business Class connection and am unable to reach http://www.checkpoint.com to research product line I wish to carry. I did a trace route and confirmed packets are past my network, Time Warner network and onto next hop where they execute jump to nowhere instruction. Here is the tracert just now (it has been failing for weeks):
That's an artifact of Checkpoint blocking pings. Note the difference between ICMP and TCP-based traceroutes: traceroute -I 216.200.241.66 traceroute to 216.200.241.66 (216.200.241.66), 30 hops max, 60 byte packets 1 sark.dirtside.com (70.182.189.216) 0.462 ms 0.494 ms 0.555 ms 2 10.1.192.1 (10.1.192.1) 9.023 ms 9.197 ms 9.247 ms 3 ip72-196-255-1.dc.dc.cox.net (72.196.255.1) 15.210 ms 15.497 ms 15.548 ms 4 mrfddsrj01gex070003.rd.dc.cox.net (68.100.0.141) 13.594 ms 13.765 ms 13.817 ms 5 68.1.4.139 (68.1.4.139) 14.752 ms 15.016 ms 14.951 ms 6 ge-8-0-7.er2.iad10.us.above.net (64.125.12.241) 15.075 ms 9.565 ms 9.384 ms 7 xe-5-1-0.cr2.dca2.us.above.net (64.125.29.77) 33.238 ms 26.629 ms 26.554 ms 8 xe-2-2-0.cr2.iah1.us.above.net (64.125.30.53) 45.079 ms 45.230 ms 45.264 ms 9 xe-0-3-0.cr2.lax112.us.above.net (64.125.30.50) 75.982 ms 76.212 ms 76.154 ms 10 xe-2-1-0.cr2.sjc2.us.above.net (64.125.26.30) 93.901 ms 94.044 ms 88.715 ms 11 xe-1-1-0.er2.sjc2.us.above.net (64.125.26.202) 88.542 ms 88.885 ms 90.094 ms 12 64.124.201.230.b709.above.net (64.124.201.230) 89.691 ms 89.060 ms 88.895 ms 13 * * * 14 * * * 15 * * * traceroute -T -p 80 216.200.241.66 traceroute to 216.200.241.66 (216.200.241.66), 30 hops max, 60 byte packets 1 sark.dirtside.com (70.182.189.216) 0.487 ms 0.520 ms 0.568 ms 2 10.1.192.1 (10.1.192.1) 20.018 ms 24.851 ms 25.144 ms 3 ip72-196-255-1.dc.dc.cox.net (72.196.255.1) 25.415 ms 25.502 ms 25.591 ms 4 mrfddsrj01gex070003.rd.dc.cox.net (68.100.0.141) 25.139 ms 25.178 ms 25.260 ms 5 68.1.4.139 (68.1.4.139) 37.509 ms 37.437 ms 37.362 ms 6 ge-5-3-0.mpr2.iad10.us.above.net (64.125.13.57) 91.097 ms 89.808 ms ge-8-0-7.er2.iad10.us.above.net (64.125.12.241) 24.078 ms 7 xe-5-1-0.cr2.dca2.us.above.net (64.125.29.77) 26.324 ms 11.950 ms 12.477 ms 8 xe-2-2-0.cr2.iah1.us.above.net (64.125.30.53) 74.680 ms 74.575 ms 74.355 ms 9 xe-0-3-0.cr2.lax112.us.above.net (64.125.30.50) 76.781 ms 76.330 ms 76.118 ms 10 xe-2-1-0.cr2.sjc2.us.above.net (64.125.26.30) 100.310 ms 100.026 ms 98.495 ms 11 xe-1-1-0.er2.sjc2.us.above.net (64.125.26.202) 98.631 ms 93.570 ms 94.380 ms 12 64.124.201.230.b709.above.net (64.124.201.230) 94.420 ms 97.053 ms 95.015 ms 13 208.185.174.208 (208.185.174.208) 96.208 ms 96.541 ms 96.384 ms 14 www.checkpoint.com (216.200.241.66) 97.406 ms 97.534 ms 97.891 ms Since you get all the way to the Checkpoint border, try some basic diagnostics like: telnet www.checkpoint.com 80 GET / HTTP/1.1 Host: www.checkpoint.com Wait for the telnet to succeed before you type GET. Make sure you press enter twice after the last line. You're hand-jamming an HTTP request. If you don't connect then checkpoint is blocking your IP address for one reason or another. Maybe there are hackers in your neighborhood. Take it up with them by phone. If you do connect but get no response to the "get" http request then most likely checkpoint is blocking all ICMP packets and your path MTU is smaller than 1500 bytes. The ICMP block prevents the fragmentation needed message from reaching their web server, so it never figures out it needs to shorten its packets. If, as a firewall company, they have made this beginner mistake... 'nuff said. And of course if you do get complete content back from the web server then you have some other problem with your PC that's getting in the way. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004