Traceroutes, mtrs, pings, other ICMP to a IPA/SXL VIP contain misleading information

TitleTraceroutes, mtrs, pings, other ICMP to a IPA/SXL VIP contain misleading informationURL NameTraceroutes-mtrs-pings-other-ICMP-to-a-IPA-SXL-VIP-contain-misleading-information-1386938232802SummaryLast Published Date12/13/2013 4:37 AMQuestionWhy does a traceroute/mtr/ping to an IPA/SXL VIP show a very strange long route/ping time?Answer

A traceroute, or a ping, or other ICMP packet sent to an Akamai IPA/SXL VIP would not accurately represent the route between the user and the corresponding Akamai VIP. This is due to the way IPA/SXL operate. An IPA/SXL server is configured to pass through incoming packets to the corresponding origin server using the fastest route to it. The IPA/SXL server does not look at the packets or judge that they were meant to terminate at that server. Such servers are configured to be blind relays. As a result, any traceroute, ping, etc, would only pass through an IPA/SXL server, and then continue all the way to the corresponding origin server. Since the packets have no knowledge about that origin server hardcoded in them, the last hop of that traceroute would not contain the origin server IP, but the IPA/SXL VIP IP.

Here is a sample traceroute to VIP 63.216.55.164. Even though this is an Akamai VIP, the actual Akamai server taking this request is 63.216.54.69. The packets then continue to be forwarded all the way to the origin server, the IP of which will not show anywhere in the traceroute, but it will be represented by the VIP 63.216.55.164, which is where this traceroute ends.

traceroute 63.216.55.164
traceroute to 63.216.55.164 (63.216.55.164), 30 hops max, 40 byte packets
 1  a72-246-96-1.deploy.akamaitechnologies.com (72.246.96.1)  0.273 ms  0.215 ms  0.153 ms
 …
 …
 8  63-216-54-69.static.pccwglobal.net> (63.216.54.69)  29.782 ms  29.999 ms  29.639 ms
 …
 …
13 63-216-55-164.static.pccwglobal.net (63.216.55.164)  56.741 ms *  196.103 ms


As a result, this traceroute is not representative of the route between the user and Akamai, since it also includes the path to the origin server. The same holds true for pings, mtrs, or other ICMP traffic.

For a more representative route, you may want to use tcptraceroute.

tcptraceroute -n 63.216.55.164 443
Selected device eth0, address 172.28.12.161, port 49455 for outgoing packets Tracing the path to 63.216.55.164 on TCP port 443 (https), 30 hops max
  1  172.28.12.1  0.768 ms  0.253 ms  20.590 ms
  …
  11  63.216.54.68  30.294 ms  30.359 ms  30.101 ms
  12  63.216.55.164 [open]  30.603 ms  30.788 ms  30.302 ms

 

Was this article helpful?

Related Articles