I am having a weird situation. I have several Mikrotik OS Routers on our Wireless WAN routing via OSPF. They connect to a couple Cisco Routers that connect to our internet connections that run both OSPF and BGP. At the end of the Mikrotik Segment I have a static route in the Mikrotik pointing to a local Firewall behind which is the /27 network I am having issues with. I have the last Mikrotik set to redistribute the Static route into OSPF.
Here is a simple Diagram.

Internet----------Cisco1--------Cisco2----------Mikrotik1------------Mikrotik2-------------Mikrotik3----------Firewall------Remote /27 Network

Here is the problem. Even though I can see the route propagating over each Mikrotik and back to the Cisco Routers via OSPF I cannot run any successful traceroutes to this /27 beyond the first Mikrotik. I first assumed it was a problem on how my routes translate between the Cisco routers and the Mikrotiks, however if I run a traceroute on Mikrotik1 or 2 or even 3 it doesn't work either. All other traceroutes including to the /30 between the Mikrotik3 router and the firewall work fine.

If I trace from the internet or my internal network I get as far as the first Mikrotik and then request timed out as follows:
Tracing route to remote /27 network
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms Internal Router
2 3 ms <1 ms <1 ms Cisco Router 1
3 <1 ms <1 ms <1 ms Cisco Router 2
4 1 ms 1 ms 1 ms Mikrotik Router 1
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 ^C


If I Traceroute from Mikrotik1 or Mikrotik2 or even Mikrotik 3 that has a static route to the /27 I get the following:
# ADDRESS RT1 RT2 RT3 STATUS
1 0.0.0.0 0ms 0ms 0ms
2 0.0.0.0 0ms 0ms 0ms
3 0.0.0.0 0ms 0ms 0ms
4 0.0.0.0 0ms 0ms 0ms


Now here is where things get really strange. Even though I cannot successfully traceroute to the /27 hosts from anywhere in the world including all my Mikrotik routers and Cisco Routers somehow. CONNECTIVITY WORKS without issues whatsoever. I can connect to the /27 hosts with any of their open ports/applications other than Ping or Traceroute them and they can connect to the global internet without issues. How this is possible since none of my routers can traceroute to that network is beyond me. As far as I am aware no access lists have been created to block ICMP on this network and I can traceroute to any of the other networks spaces I have running off these and other Mikrotiks. The only thing that seems out of the ordinary to me is the fact that this is a external and not directly connected OSPF route.

Any ideas as to what I could be missing here? Even though this is working and passing traffic future troubleshooting could be a major problem if I can't rely on traceroutes.

Let me know if you have any suggestions or ideas.

Jim

Is your firewall filtering the icmp requests?

Sent from my XT912 using Tapatalk 2

Are the Cisco/Mikrotik devices all on public IPs or are RFC1918 addresses involved? Also, what are the routing conditions on the Mikrotiks as regards addresses to the left side of your diagram including general internet addresses?

They are all using public ip's for their interfaces although the OSPF processes are using loopbacks that are using private IP's. The mikrotiks can trace anywhere other than the external static route on the far right side of the diagram including sites on the global internet. I just ran a traceroute to yahoo.com from the far right router and it worked fine.

No firewalls blocking the traffic, I just checked the Mikrotik's and they don't have any firewall statements enabled and since this is only affecting 1 external route it would have to be a specific statement directly related to the /27 which is not setup. I'm still thinking it is something OSPF related since it is only affecting traceroute on hosts on that external route and no other directly connected or advertised OSPF routes as I can traceroute to all those hosts without issue.

Did you ever get this resolved? Having the same issue.

I'm getting different results based on source.

Config: Internet | Nat device 192.168.0.2 | Microtik router 10.0.0.1 (with dude agent installed) | Computer on 10.0.0.x subnet (with dude windows client running)

Depending what source is listed having different results.