ICMP type 3 code 3 being received from the firewall

ivickery · ‎05-14-2004

Hi I notice that we are receiving the following:

ICMP: Type = 3 (Destination unreachable)

ICMP: Code = 3 (UDP port 42309 unreachable

When doing DNS queries through a firewall. it seams to be fairly consistant that when ever the query takes longer than 5 - 10 Seconds. we receive the above ICMP response.

Any ideas as to why this is happenning, and where is it exactly coming from.

Many thanks

Ian Vickery

ehirsel · ‎05-14-2004

I believe that it is due to path mtu discovery; some systems such as IBM's aix use mtu discovery for udp as well as tcp packets. It could also be due to a traceroute packet. Some systems use high-end udp ports for traceroute, instead of icmp packets.

To determine the true source; look at the dest. ip address of the icmp message from the firewall. Does it correlate to the dns requestor's source ip?

ivickery · ‎05-14-2004

Yes is does correlate to the dns requestor's source ip.

The flows is as follows.

SA x.x.x.x SP 42039 DA y.y.y.y DP 53

SA y.y.y.y SP 53 DA x.x.x.x DP 42039

SA y.y.y.y DA x.x.x.x ICMP type 3 code 3

This appears to be faily consistant when the response takes longer than 5-10 seconds.

It appears that the firewall is injecting the second ICMP packet. The ICMP packet arrives at the receiving host straight after the UDP reply packet.

Is it possible for the firewall to be sending the icmp packet? we are using a FWSM in this case.

Many thnaks

Ian Vickery