Chapter 5 Troubleshooting : Troubleshooting common issues : Common issues and questions : Run ping and traceroute : Traceroute

Where ping will only tell you if it reached its destination and came back successfully, traceroute will show each step of its journey to its destination and how long each step takes. If ping finds an outage between two points, traceroute can be used to locate exactly where the problem is.
What is traceroute
Traceroute works by sending ICMP packets to test each hop along the route. It will send out three packets, and then increase the time to live (TTL) setting by one each time. This effectively allows the packets to go one hop farther along the route. This is the reason why most traceroute commands display their maximum hop count before they start tracing the route — that is the maximum number of steps it will take before declaring the destination unreachable. Also the TTL setting may result in steps along the route timing out due to slow responses. There are many possible reasons for this to occur.
Traceroute by default uses UDP datagrams with destination ports numbered from 33434 to 33534. The traceroute utility usually has an option to specify use of ICMP echo request (type 8) instead, as used by the Windows tracert utility. If you have a firewall and if you want traceroute to work from both machines (Unix-like systems and Windows) you will need to allow both protocols inbound through your FortiGate security policies (UDP with ports from 33434 to 33534 and ICMP type 8).
You can also use the packet count column of the Policy > Policy > Policy page to track traceroute packets. This allows you to verify the connection, but also confirm which security policy the traceroute packets are using.
What traceroute can tell you
ping and traceroute have similar functions — to verify connectivity between two points. The big difference is that traceroute shows you each step of the way, where ping doesn’t. Also, ping and traceroute use different protocols and ports, so one may succeed where the other fails.
You can verify your DNS connection using traceroute. If you enter an FQDN instead of an IP address for the traceroute, DNS will try to resolve that domain name. If the name does not get resolved, you know you have DNS issues.
How to use traceroute
The traceroute command varies slightly between operating systems. Note that in MS Windows the command name is shortened to “tracert”. Also, your output will list different domain names and IP addresses along your route.
To use traceroute on an MS Windows PC
In Windows XP, select Start > Run, enter cmd, and select OK.
Enter “tracert” to trace the route from the PC to the Fortinet web site.
Output will appear as:
Tracing route to []
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms
2 66 ms 24 ms 31 ms []
3 52 ms 22 ms 18 ms []
4 43 ms 36 ms 27 ms []
5 46 ms 21 ms 16 ms []
6 25 ms 45 ms 53 ms []
7 89 ms 70 ms 36 ms []
8 55 ms 77 ms 58 ms []
9 53 ms 58 ms 46 ms []
10 82 ms 90 ms 75 ms []
11 122 ms 123 ms 132 ms []
12 129 ms 119 ms 139 ms
13 172 ms 164 ms 243 ms []
14 99 ms 94 ms 93 ms
15 108 ms 102 ms 89 ms
16 98 ms 95 ms 97 ms
Trace complete.
The first, or the left column, is the hop count, which cannot go over 30 hops. When that number is reached, the traceroute ends.
The second, third, and fourth columns display how much time each of the three packets takes to reach this stage of the route. These values are in milliseconds and normally vary quite a bit. Typically a value of <1ms indicates a local connection.
The fifth, or the column farthest to the right, is the domain name of that device and its IP address or possibly just the IP address.
To perform a traceroute on a Linux PC
Enter “/bin/etc/traceroute”.
The Linux traceroute output is very similar to the MS Windows tracert output.

FortiOS Handbook, FortiOS 4.0 MR3
01-433-99686-20120305 · 05 March 2012
© 2012 Fortinet, Inc. All rights reserved.
FortiGate Cookbook:
Latest documentation:
Contact us: