7

Here is the setting on server A:

iface serverA_gre0 inet tunnel
        address 172.24.0.85
        mode gre
        endpoint x.x.x.x
        dstaddr 172.24.0.86
        netmask 255.255.255.252
        ttl 255

Setting on server B:

iface serverB_gre0 inet tunnel
        address 172.24.0.86
        mode gre
        endpoint x.x.x.x
        dstaddr 172.24.0.85
        netmask 255.255.255.252
        ttl 255

Without "ttl 255":

traceroute to 172.24.0.86 (172.24.0.86), 30 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  172.24.0.86  54.507 ms  62.888 ms  51.369 ms

With "ttl 255":

traceroute to 172.24.0.86 (172.24.0.86), 30 hops max, 60 byte packets
 1  172.24.0.86  51.123 ms  51.733 ms  51.943 ms

What exactly cause those "*" issue when TTL 255 isn't exists?

Thomas G. Lau
  • 252
  • 2
  • 8

1 Answers1

6

TTL stands for Time to Live. It is a field present in the IP packet header. The value is initially set by the sender, often to 64, and decremented by one by every router. When it reaches 0 without before reaching the final destination, the router drops the packet and sends an ICMP Time Exceeded message back to the original source. This TTL processing is important to prevent unroutable IP packets from being forwarded forever on an IP network, consuming resources.

Traceroute uses this TTL behavior to figure out what hops and how many hops (routers) there are on a path to a destination. It sends out probe IP packets with small TTLs in sequence: TTL=1, TTL=2, TTL=3. TTL=1 will be dropped by the first router, TTL=2 will be forwarded by the first and dropped by the second, and so on. If traceroute receives an ICMP Time Exceeded message from a router, it will display its IP address. If the probe times out, an asterisk is displayed.

To return to the effect you are seeing, it is because of how the GRE tunneling works with regards to TTL. For IPv4 GRE tunnels, the default is to copy the TTL from the tunneled packet to the IPv4 GRE packet. This can be overridden by the ttl option as you did. Relevant excerpt from the manual:

ttl N
hoplimit N

    set a fixed TTL (IPv4) or hoplimit (IPv6) N on tunneled
    packets. N is a number in the range 1--255. 0 is a special
    value meaning that packets inherit the TTL value. The default
    value for IPv4 tunnels is: inherit. The default value for IPv6
    tunnels is: 64.

So, when you do use ttl 255, a probe sent by traceroute with TTL=1 will be encapsulated into a GRE IPv4 packet with TTL=255. This will be forwarded by all the intermediate routers and reach the tunnel endpoint and be received and handled by the final destination. When you do not use ttl 255, the default is ttl inherit. This means that a traceroute probe with TTL=1 will be encapsulated in a GRE IPv4 packet with TTL=1. It will be dropped by the first router. However, it is the GRE packet that is dropped and if the router sends an ICMP time exceeded, then it will refer to the encapsulating packet (GRE) and not to the encapsulated traceroute probe. Therefore the traceroute process will not receive any ICMP error, the probe times out, and an asterisk (*) is displayed. When the TTL is large enough for the GRE encapsulated packet to reach the tunnel endpoint, then finally the probe also reaches the final destination and its IP address is displayed.

So, to conclude, you really do not have an issue, but things work exactly as they should!

Anton
  • 161
  • 1
  • 3