05-14-2004 02:43 AM - edited 03-09-2019 07:22 AM
Hi I notice that we are receiving the following:
ICMP: Type = 3 (Destination unreachable)
ICMP: Code = 3 (UDP port 42309 unreachable
When doing DNS queries through a firewall. it seams to be fairly consistant that when ever the query takes longer than 5 - 10 Seconds. we receive the above ICMP response.
Any ideas as to why this is happenning, and where is it exactly coming from.
Many thanks
Ian Vickery
05-14-2004 03:49 AM
I believe that it is due to path mtu discovery; some systems such as IBM's aix use mtu discovery for udp as well as tcp packets. It could also be due to a traceroute packet. Some systems use high-end udp ports for traceroute, instead of icmp packets.
To determine the true source; look at the dest. ip address of the icmp message from the firewall. Does it correlate to the dns requestor's source ip?
05-14-2004 08:22 PM
Yes is does correlate to the dns requestor's source ip.
The flows is as follows.
SA x.x.x.x SP 42039 DA y.y.y.y DP 53
SA y.y.y.y SP 53 DA x.x.x.x DP 42039
SA y.y.y.y DA x.x.x.x ICMP type 3 code 3
This appears to be faily consistant when the response takes longer than 5-10 seconds.
It appears that the firewall is injecting the second ICMP packet. The ICMP packet arrives at the receiving host straight after the UDP reply packet.
Is it possible for the firewall to be sending the icmp packet? we are using a FWSM in this case.
Many thnaks
Ian Vickery
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide