2

I have created a Linux Azure VM. And I want to send traceroutes from it to my home ip address. However traceroute times out on every hop. I have configured the VM to have public static IP address. And to have inbound and outbound rules for all ports.

Does anybody know what else needs to be configured there in order to successfully send a traceroute?

An interesting fact is that traceroutes succeed from Windows Server Azure VM, but not from Linux Ubuntu 16.04.

The VM has a static IP attached in both cases: Linux and Windows.

One more detail: On Windows Azure VM first 5 hops do not reply, but other ones do. On Linux Azure VM every hop doesn't reply.

Maksym Bondarenko
  • 404
  • 1
  • 5
  • 12

2 Answers2

5

Jason Ye - MSFT's information is correct, but his answer doesn't actually answer your question.

Traceroue doesn't work on Azure since Azure, by default blocks all ICMP traffic. Since traceroute identifies hops by receiving an ICMP packet (ICMP Time to Live expired) from each hop, you don't see any hops.

This is the same reason why ping doesn't work to from the Internet to machines within Azure.

To work around that, you can give your VM an instance IP address.

Community
  • 1
  • 1
Malt
  • 28,965
  • 9
  • 65
  • 105
  • Thanks Malt ! I forgot to notice that static IP has actually been assigned to Azure Linux and Windows VM. Without static IP, traceroutes do not work even on Windows. It is still not very clear why traceroute command times out on every hop when sent from Linux. I ended up using Scamper from CAIDA: https://www.caida.org/tools/measurement/scamper/. Scamper works well. – Maksym Bondarenko Mar 30 '17 at 21:37
2

Because tracert and traceroute work in different ways.
In windows, tracert is based on ICMP, we can use tracert to test connection from Azure VM to the outside.
But in Linux, traceroute is based on UDP by default. we can add a parameter to make traceroute work on ICMP, but in my test, even if traceroute working in ICMP, it is different from tracert.

root@ubuntu:~# traceroute -I 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  google-public-dns-a.google.com (8.8.8.8)  1.599 ms  1.593 ms  1.783 ms

As a workaround, we can use other tools to test the connection, for example, tracepath

Jason Ye
  • 13,710
  • 2
  • 16
  • 25
  • Thanks Jason. Tracepath really gives some result. Yes first several hops have no reply but that is consistent with Windows Azure VM behavior. – Maksym Bondarenko Mar 20 '17 at 03:38
  • I am wondering if you have some explanation of why usual traceroute doesn't work (all hops do not reply). – Maksym Bondarenko Mar 20 '17 at 03:38
  • @MaksymBondarenko It seems that, one of the router blocked `type 11 (TTL-expired)`, so we can't find the middle of the router, but can see the packet reached the final destination. – Jason Ye Mar 20 '17 at 03:51