ICMP type 3 destination unreachable packet dropped

Description

ICMP type 3 Code 3 are dropped due to Policy Drop when a server sends a UDP packet with an ICMP reinforce to validate the receiving packet.

Packet capture shows the packets are being received but Event Log shows the packet was dropped due to policy.

The packets are ICMP type 3 (Destination unreachable) code 3 (Port unreachable)

Cause

Servers communicate via UDP transport protocol. UDP doesn't have a transport method to inform when a port is unavailable.

The ICMP packet is used for that purpose. When the port is not available on the server it responds with ICMP type 3 code 3

We will drop the ICMP packet.

Resolution

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.


  • Access the internal settings of the firewall and look for ICMP settings.
  • Disable option: Enable enforcement of Dropping Unreachable ICMP packet .
    Image

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.


  • Access the internal settings of the firewall and look for ICMP settings.
  • Disable option: Enable enforcement of Dropping Unreachable ICMP packet .Image

Related Articles

  • SonicOS IPv6 Prefix Delegation (DHCPv6)
    Read More
  • SonicOS 8 IPv6 Prefix Delegation (Router Advertisement)
    Read More
  • SonicOS 8 IPv6 Tunnel Interfaces (DS-Lite)
    Read More

Categories

Firewalls
NSa Series
Firmware
not finding your answers?
Ask the Community
Chat