Hi,

I've been using PingPlotter Pro (3.20p) for quite some time, it's been a very valuable tool. Recently I started working with a new UTM (Unified Threat Management) box that's running some flavor of Linux and mostly open source applications (http proxy, firewall, VPN, mail relay...). I don't know what the VNP module is based on but it looks like it might be choking on PingPlotter packets.

When I run a PingPlotter trace through the tunnel with the remote endpoint as the target using a 15 second delay everything looks fine for about 21 hours. Then the remote end stops responding (VPN module dies?), about 15 seconds later the UTM box stops responding too. It doesn't really crash, internal processes continue to run and make log entries but no errors get logged and no ethernet interfaces will pass traffic. If I extend the ping delay to 60 seconds it takes about 55 hours before the same thing happens with a 60 second delay between the VPN failure and box lockup.

Is it likely that the VPN module is choking on TTL expired packets? Has anyone ever seen this before?

I haven't tested it yet but I'm betting the solution will be to ping only the target.

That's a new one. If it explicitly shuts down *all* traffic through this device, then it should be pretty easy for the device manufacturer to reproduce.

21 hours at 15 second intervals is 5040 samples. Maybe it's just that number of ICMP Echo packets (period) that's causing the problem. Try cranking your packet rate down to 1 second (or, depending on your network capacity, even lower - like .25 seconds - you can manually enter that) and see if it reproduces at the same sample count. If it does, then try switching to final destination only and see if it still happens (or maybe takes longer). It might take longer (like, say, 4 times longer). If so, then see how many hops you have past the failure point - and see if that corresponds to how much longer it takes to fail with final destination only.

It could also be a problem with returning ICMP TTL expired packets (or echo replies).

It sounds like a bug in the hardware, though, and you should probably talk to your UTM box manufacturer about it. The "suggestions" above just relate to narrowing it down a bit so you can better report the problem to the manufacturer.