Troubleshooting TCPIP Routing

Troubleshooting TCP/IP Routing

Troubleshoot TCP / IP routing. Tools might include the route , tracert , ping , pathping , and netsh commands and Network Monitor.

To conclude this chapter, we will now spend some time examining troubleshooting of TCP/IP routing. Knowing how to skillfully troubleshoot a routing problem is key to being able to administer a WAN. You have to know how to troubleshoot problems when they occur, and Windows Server 2003 provides several tools to help you do that.

There are five commands and one utility : route , tracert , ping , pathping , netsh , and the Network Monitor utility. Knowing when to use which one is the key to survival in this area of the 70-293 exam. Let's start our discussion of these troubleshooting tools with the route command.

The `route` Command

As mentioned earlier, routers keep routing tables. If you are using static routes, you must manually edit your routing tables; the route command is the means by which you do this. Although you can use the RRAS console to manipulate this data, nothing is faster or easier than using the route command. Within seconds, you can add a route in the routing table, adjust one, or take one out.

The route command is easy to manipulate. You use the route command, like most of the other commands we will look at, from the command line. Entering the route command by itself provides you with a detailed description of its use. The syntax of the route command is as follows and is detailed in Table 4.2:

[View full width]

  [View full width] 
 ROUTE [-f] [-p] [  command  ] [destination] [MASK  netmask  ] [gateway] [METRIC  metric  ] [IF   interface  ]

Table 4.2. `route` Parameters

Parameter	Description
`-f`	Instructs the `route` command to clear the routing tables of all gateway entries.
`-p`	Specifies that a route being added is to be persistent and not dumped when the computer is restarted.
`command`	Specifies the action that is to be carried out. `print` prints a route. `add` adds a route. `delete` deletes a route. `change` changes an existing route.
`destination`	Specifies the host.
`MASK` `netmask`	Specifies a subnet mask value for the routing entry. If a value is not specified, the default of 255.255.255.255 is used.
`gateway`	Specifies a gateway.
`METRIC` `metric`	Specifies the metric (route cost) of the destination.
`IF` `interface`	Specifies the interface number for the route.

You can use the route print command to display the routing table. You need to be familiar with its output. In the following output, you can see a standard routing table that consists of route statements with specific details in each route:

 C:\>route print ========================================================================= Interface List 0x1 ........................... MS TCP Loopback interface 0x1000003 ...00 07 85 b4 0e ec ...... PCX50422 Cisco Systems352 series 0x1000004 ...00 08 74 97 0c 26 ...... EL90Xbc0 3Com EtherLink PCI ========================================================================= ========================================================================= Active Routes: Network Destination      Netmask          Gateway       Interface  Metric         0.0.0.0          0.0.0.0       10.2.102.1    10.2.102.173       1       127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1      10.2.102.0    255.255.255.0     10.2.102.173    10.2.102.173       1    10.2.102.173  255.255.255.255        127.0.0.1       127.0.0.1       1    10.2.255.255  255.255.255.255     10.2.102.173    10.2.102.173       1       10.2.3.31  255.255.255.255       10.2.102.3    10.2.102.173       1  216.136.227.78  255.255.255.255       10.2.102.2    10.2.102.173       1       224.0.0.0        224.0.0.0     10.2.102.173    10.2.102.173       1 255.255.255.255  255.255.255.255     10.2.102.173    10.2.102.173       1 Default Gateway:     134.141.102.1 ========================================================================= Persistent Routes:   None C:\>

Let's examine the first entry in the routing table to see how it is laid out:

 0.0.0.0          0.0.0.0       10.2.102.1    10.2.102.173       1

The first 0.0.0.0 is the destination, and the following 0.0.0.0 is the network subnet mask. In other words, say you need to move traffic from one network to another; to do so, you would specify the destination address with its proper subnet mask. You might want traffic from the 10.1.0.0 network to be able to get traffic across your router to the 10.2.0.0 network. This is done via a route. Here, all 0s in the destination and the netmask mean that this is a default route. A default route means that any destination network with any netmask can be sent out the other interface of your server, which should be the next hop. This is what the interface is for, as well as the gateway. The gateway IP address, 10.2.102.1, specifies the forwarding or next hop IP address over which the set of addresses defined by the network destination and subnet mask are reachable . A metric is a way to specify something specific for a route you enter. A route with the lowest metric is the one that is chosen , so if you have to weight routes with higher metrics to get them to be specified as first, or last, this is how you would do it. The interface is simply the interface index for the NIC over which the destination address can be reached.

The `tracert` Command

The tracert command is one of the most important routing troubleshooting commands around. Not knowing tracert (or Traceroute for Unix and Cisco systems) is not a good thing. The tracert command helps you to find problem spots in a routed network. Consider Figure 4.47.

Figure 4.47. The `tracert` command will be useful in troubleshooting this complex routing environment.

Where would you find the problem if you had one? Let's create a fictional problem that is very common on most production networks today. The clients on the 10.0.0.0 network routinely access the Web server located at 12.1.2.2 with no problems. Today, your clients suddenly can't get to this Web server at 12.1.2.2. What would you do? Well, you can do many things, but by using tracert , you can trace a route out from the 10.0.0.2 host to the 12.2.2.2 host, which is the Web server, and see where the packets drop, if they do. Here is an example:

 C:\>tracert 12.1.2.2 Tracing route to 12.1.2.2 over a maximum of 30 hops   1    10 ms    10 ms    10 ms  10.0.0.1   2    10 ms    10 ms    10 ms  10.0.1.1   3    40 ms    30 ms    40 ms  10.0.2.1   4    40 ms    40 ms    40 ms  12.1.2.1

Now, you can see how useful this command is. If the 10.0.2.1 router were down (nonfunctional), you would get a request timeout or unreachable ICMP-based error message so that you would know that you have a problem there.

Another useful function of the tracert command is to analyze traffic routes to determine whether the most economical route is being taken. This function is especially useful for troubleshooting and tuning private networks where you can make changes (or have changes made) on the routers of concern. Recall that RIP does not differentiate between a one-hop route using a 56Kbps link or a one-hop route using a full T1 link. The tracert command can be used to determine exactly how traffic is moving from one point to another and correct such problems.

As with most of the other commands we will look at, you use the tracert command from the command line. Entering the tracert command by itself provides you with a detailed description of its use. The syntax of the tracert command is as follows and is detailed in Table 4.3:

[View full width]

  [View full width] 
 tracert [-d] [-h  maximum_hops  ] [-j  host-list  ] [-w  timeout  ] [-R] [-S  srcaddr  ] [-4] [-6]  target_name

Table 4.3. `tracert` Parameters

Parameter	Description
`-d`	Prevents tracert from resolving IP addresses of routers to hostnames, which will increase the speed of the tracert because DNS name resolution is not required.
`-h` `maximum_hops`	Specifies the maximum number of router hops that will be taken to the destination host.
`-w` `timeout`	Specifies a timeout in milliseconds to wait for an ICMP Echo Reply or Time Exceeded message to be received. The default time is 4 seconds. If this time is exceeded, an asterisk (*) is returned instead of a time value.
`-R`	Specifies that the round-trip path is to be tested . The `-R` parameter is used only for IPv6.
`-S` `srcaddr`	Specifies the source address to start the tracert from. The `-S` parameter is used only for IPv6.
`-4`	Specifies that IPv4 is to be used, which is the default.
`-6`	Specifies that IPv6 is to be used.
`target_name`	Specifies the destination of the tracert.

The tracert command functions by sending ICMP Echo Request packets to the specified destination, similar to the ping command (discussed next), but with a key difference. For the first group of packets sent out, the TTL (time to live) is set to 1. When the packets reach the first router, the router decrements the TTL by 1, causing the TTL to be zero. A TTL of zero results in the router discarding the packets and sending back an error message to the originating system. This error message contains the IP address of the sending router, which is then displayed as the first line of the output. The process then continues, but with the next group of three packets having a TTL of 2, thus allowing them to pass the first router, which decrements their TTL to 1, and make their way to the second router. The second router decrements the TTL to zero, and the process continues.

The `ping` Command

Using ping to test connections may become something you do every day for the rest of your IT career. No other tool is used as often or as frequently as ping . PING, which stands for Packet Internet Groper, is fueled by the ICMP protocol, just as tracert is. The same ICMP Echo type messages are used as well, so learning about ping is somewhat easier if you are already familiar with the basic operation of the tracert command.

The ping command is the basic test of network connectivity. But why would you need to use ping ? Let's look at an example. You are the network administrator responsible for two servers that are located on opposite sides of a WAN link (hence, two or more routers). Today you have started to get complaints that nobody at the remote site can receive email. Because the email servers are on your side of the network, you are justifiably concerned as to why nobody can get to that email. The first step in troubleshooting your problem lies with the ping command. If you can ping the email server's IP address from your location, you have confidence that the problem is no longer apparent. But what if you cannot ping the server? Your next step is to ping each hop along the route from source to destination in an attempt to determine where the problem lies. There is an inherent limitation to the ping command, though: Even though you can ping a host or router, this does not guarantee that it is performing its intended function properly. Being able to successfully ping a host indicates that basic TCP/IP connectivity exists along the route, nothing more.

To ping a host, you can simply enter the ping command followed by an IP address or DNS hostname, as shown here:

 C:\>ping 10.0.0.1 Pinging 10.0.0.1 with 32 bytes of data: Reply from 10.0.0.1: bytes=32 time=70ms TTL=124 Reply from 10.0.0.1: bytes=32 time=70ms TTL=124 Reply from 10.0.0.1: bytes=32 time=70ms TTL=124 Reply from 10.0.0.1: bytes=32 time=70ms TTL=124 Ping statistics for 10.0.0.1:     Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds:     Minimum = 70ms, Maximum =  70ms, Average =  70ms C:\>

The syntax of the ping command is as follows and is detailed in Table 4.4:

[View full width]

  [View full width] 
 ping [-t] [-a] [-n  count  ] [-l  size  ] [-f] [-i  TTL  ] [-v  TOS  ] [-r  count  ] [-s  count  ] [{-j   HostList  -k  HostList  }] [-w  timeout  ]

Table 4.4. `ping` parameters

Parameter	Description
`-t`	Specifies that the `ping` command should continue sending Echo Request (ICMP) messages until manually interrupted . This is useful for establishing and monitoring a constant connection between two hosts .
`-a`	Specifies that reverse name resolution is to be performed on the destination IP address.
`-n` `count`	Specifies how many Echo Request messages are to be sent to the destination computer. The default is four.
`-l` `size`	Specifies the length of the data field on the Echo Request up to a maximum of 65,527 bytes. The default is 32 bytes.
`-f`	Specifies that the Echo Request messages will not be fragmented by routers along their path. This setting can be used to troubleshoot Maximum Transmission Unit (MTU) related problems.
`-i` `TTL`	Specifies the value of the TTL field in the IP header for Echo Request messages sent. The default is the default TTL value for the host. The maximum TTL is 255.
`-v` `TOS`	Specifies the value for the Type of Service (TOS) field in the Echo Request. The default value is 0, and valid values range from 0 to 255.
`-r` `count`	Specifies that the Record Route option in the IP header is used to record the path taken by the Echo Request message and corresponding Echo Reply message. The `count` must between 1 and 9.
`-s` `count`	Specifies that the Internet Timestamp option in the IP header is used to record the time of arrival for the Echo Request message and corresponding Echo Reply message for each hop. The `count` must be between 1 and 4.
`-j` `HostList`	Specifies that the Echo Request messages use the Loose Source Route option in the IP header with the set of intermediate destinations specified in `HostList` . When loose source routing is used, successive intermediate destinations can be separated by one or multiple routers. You can enter a maximum of nine addresses or hostnames in the host list.
`-k` `HostList`	Specifies that the Echo Request messages use the Strict Source Route option in the IP header with the set of intermediate destinations specified in `HostList` . When strict source routing is used, the next intermediate destination must be directly reachable. You can enter a maximum of nine addresses or hostnames in the host list.
`-w` `timeout`	Specifies the amount of time, in milliseconds, to wait for the Echo Reply message to be received. The default timeout is 4000 milliseconds (4 seconds).

NOTE

The story of ping If you want to see the history of the ping command and learn some other interesting ping -related trivia, be sure to visit the page of the late Mike Muuss, creator of the ping application. You can find it located at http://ftp.arl.mil/~mike/ping.html.

Although the ping command has many options available, you will most often find yourself using it as demonstrated previously, perhaps appending the -t and/or -a switches to it. This command provides a constant, verifiable connection and name resolution for your troubleshooting efforts.

The `pathping` Command

Testing routers by using pathping is outstanding if you want to use the best features of both ping and tracert , two tools you just learned about. Because of the similarities, you should already be familiar with what pathping can do for you. Not only does pathping use the best features of these tools, but it also has a set of excellent features of its own. First, the pathping command is a route tracing tool used to troubleshoot remote problems. The pathping command sends packets over each hop to the destination over a very specific time, and then after the time has elapsed, pathping calculates a set of results based on it. This is how pathping gets very specific results. You can test connectivity, trace a path, and more. You can now see what links as well as routers are giving you problems.

The syntax of the pathping command is as follows and is detailed in Table 4.5:

[View full width]

  [View full width] 
 pathping [-n] [-h  MaximumHops  ] [-g  HostList  ] [-p  Period  ] [-q  NumQueries  ] [-w  Timeout  ] [-i   IPAddress  ] [-4 IPv4] [-6 IPv6] [TargetName]

Table 4.5. `pathping` parameters

Parameter	Description
`-n`	Prevents `pathping` from resolving the IP addresses of intermediate routers to their names . This parameter speeds up the process.
`-h` `MaximumHops`	Specifies the maximum number of hops in the path to search for the target. The default is 30 hops.
`-g` `HostList`	Specifies the that Echo Request messages are to use the Loose Source Route option in the IP header with the set of intermediate destinations specified in `HostList` . Successive intermediate destinations can be separated by one or multiple routers. The `HostList` is a series of IP addresses (in dotted -decimal notation), separated by spaces.
`-p` `Period`	Specifies the number of milliseconds to wait between consecutive pings . The default is 250 milliseconds.
- `q` `NumQueries`	Specifies the number of Echo Request messages sent to each router in the path. The default is 100.
`-w` `Timeout`	Specifies the number of milliseconds to wait for each reply. The default is 3000 milliseconds.
`-i` `IPAddress`	Specifies the source address.
`-4` `IPv4`	Specifies that `pathping` uses IPv4 only.
`-6` `IPv6`	Specifies that `pathping` uses IPv6 only.
`TargetName`	Specifies the destination, either by IP address or hostname.

So now that you know what pathping is, let's look at how to use it. To use pathping , you can open the command prompt and type pathping “n 10.0.0.1 . Assuming that 10.0.0.1 is a valid host, you see the following output:

 D:\>pathping -n 10.0.0.1 Tracing route to 10.0.0.1 over a maximum of 30 hops:   0  172.16.2.1   1  172.16.3,1   2  192.168.2.1   3  192.168.3.1 Computing statistics for 125 seconds...             Source to Here   This Node/Link Hop  RTT    Lost/Sent = Pct  Lost/Sent = Pct  Address   0                                           172.16.2.1                                 0/ 100 =  0%      1   41ms     0/ 100 =  0%     0/ 100 =  0%  172.16.3,1                                13/ 100 = 13%      2   22ms    16/ 100 = 16%     3/ 100 =  3%  192.168.2.1                                 0/ 100 =  0%      3   24ms    13/ 100 = 13%     0/ 100 =  0%  192.168.3.1                                 0/ 100 =  0%    Trace complete.

The pathping output shows you not only what routes are experiencing packet loss, but also which routers are dropping packets. This information is valuable when you're trying to track down an Internet-related connectivity problem.

The `netsh` Command

The netsh command is used on Windows 2000 and 2003 systems for troubleshooting networking-based problems. It's a very dense command that could take an entire chapter to describe, so we focus on the specifics of this command in relation to remote access and routing.

EXAM TIP

Be aware of misleading results Sometimes what may appear to be a router failure may not be a router failure at all, but simply a firewall that is configured to block ICMP packets. You can test by trying to ping www.microsoft.com . Microsoft has been blocking ICMP packets for years now as a means of preventing Denial of Service (DoS) attacks on its networks.

Netsh allows you to configure TCP/IP protocol stack options right from the command line. If you become very good at using it, you can perform just about any network-related task right from the command line. In respect to Routing and Remote Access, you simply need to navigate to those sections within the command context to adjust those settings. In other words, if you navigate to the routing context within the command, you can adjust parameters for the routing subsystem of the Windows Server 2003 system.

To use the netsh command, open the command prompt and type netsh . Doing so changes the drive letter “based prompt into the netsh> prompt. By typing a question mark ( ? ) and pressing Enter, you can see what options you have within that context. If you see routing , you can change the prompt to routing> by typing routing and pressing Enter. If you type a question mark and press Enter, you see a new subset of commands you can manipulate within that prompt specific to routing functions.

The most common remote access prompt you will use within netsh is ras> . From this prompt, you can administer and work with Remote Access Servers over slow links and connections. You can use the following TechNet URL to find out all the details on the remote access netsh commands: www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/entserver/netsh_ras.asp.

The Network Monitor Utility

Network traffic is any activity to and from a host on a network. Any packet that leaves a network card, especially ones that are routed, is contributing to network traffic. The more hosts (or routers) on a network, the more services added to a network; and the more of the network that is not segmented properly, the more network traffic that network has.

Why is the issue of network traffic so important? Too much network traffic, like rush- hour traffic, clogs the speed of the network, causes the network to become a bottleneck, and can ultimately cause the network to fail. As a rule, the more network services, shares, and resources that are added to a network, the more network traffic that is generated.

You can use Network Monitor to capture packets on a network. From these packets, you can troubleshoot network problems, discern how busy a network load is, and predict how the network will grow.

Network Monitor is made up of two primary components :

Network Monitor ” Network Monitor is the tool you use to capture packets sent to and from this server. The version of Network Monitor included with Windows Server 2003 records only packets sent to and from this server and the LAN.
Network Monitor driver ” The Network Monitor driver is installed automatically when you install Network Monitor on a server. However, you might want to install just the Network Monitor driver for remote computers to be monitored through the full version of Network Monitor that is included with the Systems Management Server (SMS). If you install the Network Monitor driver on additional computers, you should make a point to install it only once per subnet.

By now you should be familiar with the basic operation of the Network Monitor. If you need a review, be sure to see MCSA/MCSE 70-291 Training Guide: Implementing, Managing, and Maintaining a Windows Server 2003 Network Infrastructure by Dave Bixler and Will Schmied (Que Publishing, 2003).

Troubleshooting RIP Environments

After RIP is configured within your environment, you may be called on from time to time to troubleshoot issues that arise with routing. Although every problem is unique, Table 4.6 outlines some of the resolutions that may help when you're responding to issues within a RIP environment.

Table 4.6. RIP Problems and Resolutions

Problem	Solution
Routing tables have improper routing information within a mixed RIP network.	RIP version 2 routers are configured to multicast announcements. Multicast version 1 and 2 announcements are never received by RIP version 1 routers. If you have a mixed environment of RIP version 1 and RIP version 2, ensure that the routers configured with RIP version 2 are using broadcast instead of multicast announcements.
Silent RIP hosts are not receiving routes.	RIP version 2 routers are configured to multicast announcements. Multicast announcements are never received by silent RIP hosts. If silent RIP hosts on a network are not receiving routes from the local RIP router, verify the version of RIP supported by the silent RIP hosts. If it is the listening service in Windows NT 4 Service Pack 4 or Windows Server 2003, you must configure the RIP routers for RIP version 1 or RIP version 2 broadcasting.
RIP routers are not being updated with valid routes.	You are deploying variable-length subnetting, disjointed subnets, or supernetting in a RIP version 1 or mixed RIP version 1 and RIP version 2 environment. Do not deploy variable-length subnetting, disjointed subnets, or supernetting in a RIP version 1 or mixed RIP version 1 and RIP version 2 environment because these functions are not supported.
RIP routers are not being updated with valid routes.	You are using autostatic RIP, and you did not properly do an initial manual update. When you use autostatic RIP on a demand-dial interface, the first time you make a connection, you must manually update routes. You must also update routes manually on the router for the corresponding interface. The routes then appear in the IP routing table.
Host or default routes are not being propagated.	RIP, by default, is not configured to propagate host or default routes. If they need to be propagated, change the default settings on the Advanced tab of the properties of a RIP interface.

Table 4.6 describes only some of the problems that can arise within a RIP environment. For further troubleshooting information, refer to Microsoft Technet or the Windows Server 2003 documentation.