Troubleshooting TCP / IP: Structure method - Part 2: Troubleshooting routing tables

Troubleshooting TCP / IP: Structure method - Part 2: Troubleshooting routing tables Picture 1 Part 1: Introduction

This article will explain how the routing table works and how to handle the problem with routing in Windows networks.

In the previous article of this series, we outlined a structured method for troubleshooting TCP / IP network problems on Windows networks. The main points in this structural method include the following 3 parts:

• Understand network techniques and protocols as the foundation of the problem.

• Identify the different components of the problem and their attributes.

• Point out troubleshooting steps and tools that need to be applied to solve the problem.

The foundation of TCP / IP networks is routing tables, data is built on each host on a TCP / IP network. The routing table serves the following purposes:

• They are used to store information about other subnets in the network and how you can reach hosts on each network.

• They indicate which host (called the IP address in the next hop) each packet is forwarded to eventually reach the destination host they need.

• Used to indicate which network interface (called interface in the next hop) is used to route this packet to its destination.

Understanding routing tables is an essential issue if you want to troubleshoot routing issues efficiently in a TCP / IP network. Consider how routing tables work, what they look like in different scenarios, what troubleshooting steps and what tools need to be used to solve those different problems. We will start by examining the routing table on a server (server with a standalone network interface) that has an assigned IP address. We chose this example because it is easy to understand for everyone, in the following sections we will look at more complex scenarios including servers with multiple IP addresses (like web servers) and servers that have Many network interfaces (such as servers connected to both the LAN and an independent network are used for running backups).

The routing table for the server has an IP address

Below is the routing table for a server with an IP address of 172.16.11.30 in the 172.16.11.0/24 network:

C:> route print
IPv4 Route Table
================================================== =========================
Interface List
0x1 ..... MS TCP Loopback interface
0x10003 . 00 03 ff 25 88 8c . Intel 21140-Based PCI Fast Ethernet Adapter
(Generic)
================================================== =========================
================================================== =========================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.16.11.1 172.16.11.30 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.16.11.0 255.255.255.0 172.16.11.30 172.16.11.30 20
172.16.11.30 255.255.255.255 127.0.0.1 127.0.0.1 20
172.16.255.255 255.255.255.255 172.16.11.30 172.16.11.30 20
224.0.0.0 240.0.0.0 172.16.11.30 172.16.11.30 20
255.255.255.255 255.255.255.255 172.16.11.30 172.16.11.30 1
Default Gateway: 172.16.11.1
================================================== =========================
Persistent Routes:
None

To display the routing table, open a command window and type route print at the command line. Consider each section of the table so you can understand how it works. Each entry in this routing table consists of 5 fields:

• Network Destination . The IP address or subnetwork shows the assigned destination address so that IP packets can be forwarded.

• Netmask . A bitmask is used commensurate with the destination field in the packet's IP address for one of the possible destinations above.

• Gateway . IP address in the next hop so that the packet is forwarded to its destination address.

• Interface . The interface in the next hop is used to forward the packet to its destination address.

• Metric . Loss in routing

Example 1: Destination destination on the internal subnet

In this first example, the server in the case of an IP address (172.16.11.30) must send a packet to another machine whose IP address is 172.16.11.80 (same in a subnet). So this packet has the source address of 172.16.11.30 and the destination address is 172.16.11.80. So how did Windows use its routing table:

1. First Windows uses routes in the table one after another and executes the AND operator between the destination address in the packet (172.16.11.80) and the bitmask (Netmask) of the selected route. Below are the results obtained, each route in the table is distinguished from each other by the destination in its network.

Route Netmask 172.16.11.80 AND Netmask0.0.0.00.0.0.00.0.0.0127.0.0.0255.0.0.0172.0.0.0172.16.11.0255.255.255.0172.16.11.0172.16.11.30255.255.255.255172.16.11.80172.16.255.255255.255.255.255172.16 .11.80224.0.0.0224.0.0.0160.0.0.0255.255.255.255255.255.255.255172.16.11.80

2. For each route, the result obtained after performing the AND operation will be compared to the destination address field of the route, if it is adequate, it means that the route can be used to forward it. to its destination address. If there are multiple routes for valid results, Windows will use the longest matching route (the route with the network mask has the highest bit 1). If this is not a unique match, then Windows will use the match with the lowest cost (Metric). Finally, if more than one match has the same low cost, Windows will randomly select one of these routes to use. From the above routing table, you can see the results of AND calculations for two matching results (routes 1 and 3) so Windows will use route 3 (the route with the longest correspondence) to transfer packets believe in its destination address. This is what this route shows in the routing table.

Network Destination Netmask Gateway Interface Metric
172.16.11.0 255.255.255.0 172.16.11.30 172.16.11.30 20

3. Windows will use the algorithm below to decide what to do next:

a, If the route's Gateway field matches the address of one of the network interfaces on the server (or if the Gateway is empty) then Windows will send the packet directly to its destination address using the interface specified in route.

b, If the route's Gateway field does not match the address of any network interface on the server, Windows will send the packet to the address in the Gateway field of the route.

Obviously, condition A is a case of the route field's Gateway field (172.16.11.30) which is the address assigned to the server's network card. So Windows indicates the destination address on the local subnet and that means Windows can send the packet directly to the address without forwarding it to other routes. So in this case, Windows simply sends the packet to the 172.16.11.80 address using the server's 172.16.11.30 network interface.

Example 2: Destination destination on remote subnet

In this case we also went through the same process, but the server here sends the packet to a host located on another subnet with the address 172.16.10.200. In other words, the packet transmitted from the source has the address 172.16.11.30 to the destination with the address 172.16.10.200. Here Windows uses its routing table to determine which route to use at this time:

1. Windows checks all routes in the table and performs the AND operation between the destination address in the packet (172.16.10.200) and the bitmask (Netmask) of the route. The results are listed below:

Route Netmask 172.16.10.200 AND Netmask0.0.0.00.0.0.00.0.0.0127.0.0.0255.0.0.0172.0.0.0172.16.11.0255.255.255.0172.16.10.0172.16.11.30255.255.255.255172.16.10.200172.16.255.255255.255.255.255172.16 .10.200224.0.0.0224.0.0.0160.0.0.0255.255.255.255255.255.255.255172.16.10.200

2. For each route, the result of AND operation is compared to the Network Destination field of the route, if there is a match, it means that the route can be used to forward the packet to its destination address. From our second table above, you can see that there is only one match, row 1, where the Network Destination field is 0.0.0.0 commensurate with the result of AND operation. So the route Windows will use to forward packets to its destination will be the route below:

Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.16.11.1 172.16.11.30 20

3. After Windows uses the algorithm introduced above to decide what to do next, and in this case, the Gateway field of the route (172.16.11.1) does not match the assigned address. The server's network card has the address 172.16.11.30. Therefore Windows will determine the destination address as a remote subnet and that means that Windows will not send the packet directly to its destination but instead to forward it to another router then the job The next is based on processing on this next router. In this case, Windows will send the packet to the address shown in the Gateway field of the selected route (172.16.11.1) using the server's 172.16.11.30 network interface. When the router at 172.16.11.1 receives the packet, it determines what the next action needed to do to forward the packet to its final destination address is 172.16.10.200, obviously This depends on the 172.16.11.10/24 network which is an adjacent subnet for 172.16.11.11/24 (eg connected by a router to it) or a remote network (connected via some internal routers. network environment between them.

Tips for troubleshooting

So what can happen in the above process? The first is that Windows may not be able to select a router with the Network Destination target field corresponding to the AND operation between the Netmask field of the route and the destination address of the packet. If this happens, you will encounter a routing error and this is indicated by some network applications running on the server. What happens is that Windows uses TCP to notify the upper layer of the network stack that the packet cannot be sent and an error message.

In this situation, it is possible that your routing table is broken or that the route in the routing table is invalid. Continuous routes are routes that you manually add to the table by using the route -p add command and restarting their values ​​stored in the registry. If you add invalid routes, they may produce strange results, most of which lead to strange traffic loss.

Alternatively, if the destination is on a remote subnet and Windows forwards the packet to a router (the default gateway address) and this router cannot select a route, what often happens in this case is the route paid. Go to an ICMP "Destination Unreachable - Host Unreachable" message (not reaching the destination) to the host sending the packet. In this case, TCP will notify the upper layer and some types of error messages will be displayed. In both solutions, the most useful way to deal with it is to check the routing tables on the host sending the message and the intermediate router on the way to the destination address, find out whether these routing tables are appropriate or have errors. is not. An error routing table is saved by resetting the TCP / IP stack via the netsh int ip reset command. Note that the reboot process will not remove the routes you have added to your routing table.

Conclude

Through this article you can understand a little bit about routing tables and how to handle some of the problems that occur with them, in the next article we will introduce more complex examples like servers with multiple addresses and several network cards.

Troubleshooting TCP / IP: Structure method - Part 2: Troubleshooting routing tables Picture 2 Part 3: Fix network connections
Troubleshooting TCP / IP: Structure method - Part 2: Troubleshooting routing tables Picture 3 Part 4: Use Netdiag.exe