Re: icmp ping log

eppiet · ‎02-22-2005

My Internet connection went down yesterday.

On my pix log, I notice I have a lot of ping from my ISP's router:

%PIX-4-106023: Deny icmp src outside:123.456.789.1 dst inside:192.168.1.1 (type 3, code 1) by access-group "outside_access_in"

Typically if a ping did not get through it will be a type 8 code 0. What would generate a type 3 code 1 error?

Thank you.

Eppie

scoclayton · ‎02-22-2005

I am sure you already looked this up but I will also post the information in case anyone else is interested - http://www.iana.org/assignments/icmp-parameters

My first guess would be that 192.168.1.1 (in your example above) is infected with some sort of virus that is causing this host to spit out random ICMP packets. You would get the Type 3 code 1 ICMP messages back from your upstream router if he didn't have a destination route for that host.

This could also be a sign of someone playing with a smurf attack.

Difficult to say for sure though.

Scott

eppiet · ‎02-23-2005

I had more information from my ISP. He said that my local loop was down. In this case, the icmp (type 3 code 1) packets be returns to my internal systems from the router when my systems tried to connect to somewhere.

I thought that icmp replies only as aresult of icmp requests. If my system tried to connect to somewhere, would it generate an icmp request?

Eppie

scoclayton · ‎02-23-2005

Yep, that sounds like a logical answer as well. Sorry I didn't think of that option initally.

ICMP packets are used for many other purposes other than ICMP requests. For instance, fragmentation/MTU messages are often ICMP packets.

Scott

eppiet · ‎02-23-2005

Where can I find more information on purposes of icmp packets? It will definitely help to do troubleshooting.

Thank you.

Eppie