Curious if anyone else has ran into this and what the resolution actual was, I can run netpath from the primary poller to solarwinds.com. When doing a traceroute from inside the server I can see all the hops, but netpath will jump from it's final l3 hop to the destination IP and not show me any of the hops in between. I have allowed an any any rule on our ASA from outside allowing echo-reply, time-exceeded, and unreachable. Also allowing icmp, https, and whois to ouside any from our Solarwinds poller, but nothing seems to change allowing us to see the missing hops in between.
Netpath doesn't employ ICMP as its primary mechanism like Windows traceroute does. Where windows traceroute (tracert) uses ICMP echo packets and varies the TTL on them, Netpath will use the protocol TCP and the port you designate it to use. Usually Netpath will get very good results, but that is dependent on some things. That being said, both should only be showing you routed (L3) hops, not L2 hops, so your statement that Netpath only shows the final L3 hop vs tracert showing more doesn't make sense. If tracert is showing more hops, those should also be L3 hops?
But, different types of traffic, like ICMP vs TCP, can be routed along differing paths. And, things like load balancers, such as those from F5, can not only change the path of specific types of traffic like HTTP and HTTPS, but it can also do more security with things like protocol inspection. For instance, if you're doing Netpath on TCP port 443 (ie: HTTPS) to a remote host that goes through and F5 near the far end, lets say the F5 is 5 hops out and the remote box another 2 hops. So, Netpath would first send out a number of packets with a TTL of 1, which would discover those route(s) that are 1 hop away. When its done with that it will do the same with a TTL of 2, and so on. When it gets to 5, it hits the F5, and maybe the F5 knows the device is another hop or two away. The F5 could simply discard the packet because the TTL is set to low, and do this for every step but the last one.
Its also possible that the F5 is a shortcut to the box for HTTPS traffic. ie: if incoming HTTPS traffic to the server hits the F5, the F5 takes a shortcut to the server and makes the destination only be 1 more hop. However, if you try and get to the server with any other protocol, like ICMP or SSH, the traffic takes those 2 additional hops in order to go through a different sort of firewall.
Maybe that would be a nice feature though, to have an option to use ICMP echo for Netpath's?
Oh! And I almost forgot! If I'm not wrong, a Linux/Unix based traceroute doesn't use ICMP either, but it also doesn't use TCP, instead it used UDP at a random high port.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.