Problem solve Get help with specific problems with your technologies, process and projects.

Why am I able to ping but not do tracepath over my Layer 3 VPN?

Our VPN expert explains why a Layer 3 VPN can ping but not do a tracepath from the client in this response.

I am running a Layer 3 (L3) VPN between two edge routers and have connected one router to a Linux host client. I tried to ping an IP address from the client present on the other router that was learnt via my Border Gateway Protocol (BGP) VPN. It's pinging, but I am unable to do tracepath from the client. I get a "No Reply" after it goes to the interface of the router connected to the client. Why is this happening?

Have you tried using traceroute instead of tracepath? Tracepath uses a range of User Datagram Protocol (UDP) ports, one or many of which might be blocked at the firewall. I suspect this is what’s happening, although I recommend further testing and analysis to figure out the root cause. Also, sometimes tools with lower privilege levels have limitations. For your situation, I suggest trying traceroute and also verifying the firewall protocols. Given what you’ve described, the IP routing appears to be functional.

View other responses to this question on the IT Knowledge Exchange (please note: SearchEnterpriseWAN.com and IT Knowledge Exchange registration are the same): Able to ping L3 VPN but unable to do tracepath

Email your VPN-related questions to [email protected]

This was last published in March 2012

Dig Deeper on Network Security