https://live.paloaltonetworks.com/t5/globalprotect-discussions/ipv6-traceroute-not-returning-hops-before-the-destination/m-p/560308#M4461 <P>I have two GlobalProtect installations each configured differently. I can ping and connect to IPv6 destinations just fine. If I run a traceroute to the IPv6 destinations using UDP or ICMP, I do not get the hops before the destination. For example:</P> <P>&nbsp;</P> <P>Tracing route to google.com [2607:f8b0:4005:80d::200e]<BR />over a maximum of 30 hops:</P> <P>1 * * * Request timed out.<BR />2 * * * Request timed out.<BR />3 * * * Request timed out.<BR />4 * * * Request timed out.<BR />5 * * * Request timed out.<BR />6 15 ms 14 ms 14 ms 2607:f8b0:4005:80d::200e</P> <P>&nbsp;</P> <P>If I use a system that is on-prem, not using GlobalProtect, the traceroutes work fine. We have two WANs, and an Internet connection, and it doesn't matter what path I traceroute across. The same thing happens.&nbsp;</P> <P>&nbsp;</P> <P>I can get the traceroute to show every hop from the GlobalProtect connected machine if I do the following:</P> <P>&nbsp;</P> <P>1.) Traceroute using an on-prem system</P> <P>2.) Record each hop I learned from the on-prem machine</P> <P>3.) Ping each hop from the GlobalProtect machine</P> <P>4.) Traceroute from the GlobalProtect Machine</P> <P>&nbsp;</P> <P>Then the traceroute works! I can't always do this though, especially if there are a lot of router choices and the packets choose a different path. Very weird that pinging each hop in the path gets the traceroute to work.&nbsp;</P> <P>&nbsp;</P> <P>Has anyone every experienced issues not getting the hops in the path when tracerouting to IPv6 destinations from GlobalProtect? I am trying to figure out what could be blocking it. The Security Policies we have are wide open outbound.&nbsp;</P> Tue, 03 Oct 2023 04:13:36 GMT jonathanhunt 2023-10-03T04:13:36Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/ipv6-traceroute-not-returning-hops-before-the-destination/m-p/560308#M4461 <P>I have two GlobalProtect installations each configured differently. I can ping and connect to IPv6 destinations just fine. If I run a traceroute to the IPv6 destinations using UDP or ICMP, I do not get the hops before the destination. For example:</P> <P>&nbsp;</P> <P>Tracing route to google.com [2607:f8b0:4005:80d::200e]<BR />over a maximum of 30 hops:</P> <P>1 * * * Request timed out.<BR />2 * * * Request timed out.<BR />3 * * * Request timed out.<BR />4 * * * Request timed out.<BR />5 * * * Request timed out.<BR />6 15 ms 14 ms 14 ms 2607:f8b0:4005:80d::200e</P> <P>&nbsp;</P> <P>If I use a system that is on-prem, not using GlobalProtect, the traceroutes work fine. We have two WANs, and an Internet connection, and it doesn't matter what path I traceroute across. The same thing happens.&nbsp;</P> <P>&nbsp;</P> <P>I can get the traceroute to show every hop from the GlobalProtect connected machine if I do the following:</P> <P>&nbsp;</P> <P>1.) Traceroute using an on-prem system</P> <P>2.) Record each hop I learned from the on-prem machine</P> <P>3.) Ping each hop from the GlobalProtect machine</P> <P>4.) Traceroute from the GlobalProtect Machine</P> <P>&nbsp;</P> <P>Then the traceroute works! I can't always do this though, especially if there are a lot of router choices and the packets choose a different path. Very weird that pinging each hop in the path gets the traceroute to work.&nbsp;</P> <P>&nbsp;</P> <P>Has anyone every experienced issues not getting the hops in the path when tracerouting to IPv6 destinations from GlobalProtect? I am trying to figure out what could be blocking it. The Security Policies we have are wide open outbound.&nbsp;</P> Tue, 03 Oct 2023 04:13:36 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/ipv6-traceroute-not-returning-hops-before-the-destination/m-p/560308#M4461 jonathanhunt 2023-10-03T04:13:36Z