Ask Your Question
0

Trying to Understand TTL with Cisco Meraki

asked 2024-10-22 23:17:14 +0000

DanShev gravatar image

updated 2024-10-22 23:26:46 +0000

I have a client side capture of a cisco meraki sending me a reset packet for specific packets. The TTL for this packet is 250. However, for packets that do succeed and don't get reset the TTL is 127. I understand that cisco will increase the TTL to 256, but in comparison to the successful packets, there is only 1 hop. So I would expect 255 instead of 250.

The reason for the reset isn't super clear. What I know is that it was a false flag by snort. We resolved the reset issue, I'm only interested in the hops that I saw.

Can I infer that when cisco "processes" a packet, determine it's suspicious and sends a reset, that it can get decremented multiple times? Or is this flawed thinking?

I'm just trying to understand how this reset packet had 6 hops instead of 1. Even potential answers as the entire configuration isn't known. I was under the impression that whenever a packet is routed, the ttl is decremented. But we only have the client, meraki as the middle-man, and the server. My understanding is either flawed, or the meraki is routing the traffic multiple times "within itself".

Apologies, I am new to networking.

edit retag flag offensive close merge delete

Comments

That Is flawed thinking, there's no proof that the reset packet is created with a TTL of 255 (that's the max, not 256). There's probably not even a hop, so most likely the reset packet is created with a TTL of 250.

Jaap gravatar imageJaap ( 2024-10-23 06:19:06 +0000 )edit

Thanks for your response. I see my mistake on the 255 default cisco TTL. But if it's not hoping, why would it even be reduced to 250?

DanShev gravatar imageDanShev ( 2024-10-23 21:03:20 +0000 )edit
Chuckc gravatar imageChuckc ( 2024-10-25 11:26:07 +0000 )edit

Well, I was looking for TTL=250 in combination with Meraki and that question popped up. So I looked at those pcap and it seems the Meraki has a default TTL of 250...

SYN-bit gravatar imageSYN-bit ( 2024-10-25 12:53:53 +0000 )edit

That would explain it... For some reason I keep seeing 255 through the interwebs... Any chance anyone has cisco documentation or anything that confirms 250 being the cisco default?

DanShev gravatar imageDanShev ( 2024-10-30 22:49:29 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2024-10-24 19:23:25 +0000

Jaap gravatar image

There's no rule or requirement that a packet needs to be created with a TTL of 255. Any TTL which is deemed to give the packet enough reach through the internet suffices.

The IETF has to say something about that, in RFC 1122, section 3.2.1.7. It states "The current suggested value will be published in the "Assigned Numbers" RFC", which we now find at IANA.

IANA currently says in its "Internet Protocol Version 4 (IPv4) Parameters" for "IP Time to Live Parameter": "The current recommended default time to live (TTL) for the Internet Protocol (IP) is 64 [RFC791][RFC1122]."

So even 250 can be considered high.

edit flag offensive delete link more

Comments

It just comes down to what has Cisco decided to set as the default for Meraki. Throughout the internet I've seen 255 be used as Cisco's Max. I'm trying to understand the discrepency of that based off what I observed.

DanShev gravatar imageDanShev ( 2024-10-31 15:31:00 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2024-10-22 23:17:14 +0000

Seen: 105 times

Last updated: Oct 24