Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
319
Views
0
Helpful
4
Replies

too many ICMP Unreachable/exceeded

Go to solution
tonny_ecmyy
Level 1
Level 1

‎02-24-2006 05:32 PM - edited ‎03-09-2019 02:03 PM

Hi there,

I have a problem here pix 506e, and my network are slow to death this 3 days, when i terminal monitor it (debugging mode) i saw there were a lot of icmp unreachable and exceeded coming from unknown ip, over 30 different ip detected. but that suppose to be information IDS right?not that kind of attack. Any possible cause of this problem?

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mheusinger
Level 10
Level 10

‎02-25-2006 01:09 AM

Hello, there can be many reasons.

Are you sure there is no worm in your network?

ICMP unreachable means that you sent an IP packet to a machine, which does not have the TCP/UDP port open. That can be the result of a worm scanning IP ranges for vulnerabilities and internet hosts answering.

ICMP time exceeded can occur after a traceroute or because of IP routing loops. There is nothing you can do about loops in the internet.

Hope this helps! Please rate all posts.

Regards, Martin

View solution in original post

0 Helpful
4 Replies 4

Go to solution
mheusinger
Level 10
Level 10

‎02-25-2006 01:09 AM

Hello, there can be many reasons.

Are you sure there is no worm in your network?

ICMP unreachable means that you sent an IP packet to a machine, which does not have the TCP/UDP port open. That can be the result of a worm scanning IP ranges for vulnerabilities and internet hosts answering.

ICMP time exceeded can occur after a traceroute or because of IP routing loops. There is nothing you can do about loops in the internet.

Hope this helps! Please rate all posts.

Regards, Martin

0 Helpful

Go to solution
tonny_ecmyy
Level 1
Level 1
In response to mheusinger

‎02-27-2006 04:54 PM

Hi,

Thanks for your reply.

I have 5 VPN connections to our main office here (pix-to-pix) suppose one of the pc at the remote site being infected by worm, can the worm do that type of pinging to our main firewall here?

0 Helpful

Go to solution
mheusinger
Level 10
Level 10
In response to tonny_ecmyy

‎02-27-2006 06:40 PM

It could be the case. Based on the information given it is only one option of several. It could be normal internet traffic and mere coincidence that you have performance problems.

Can you check the remote PCs? Is the traffic in question originated through the tunnel? Are the IPs in the internet or in RFC 1918 IP address space?

REgards, Martin

0 Helpful

Go to solution
tonny_ecmyy
Level 1
Level 1
In response to mheusinger

‎02-27-2006 08:33 PM

Hello Martin,

I notice that some of the IP are coming from VPN tunnel (show isakmp sa), but the weird thing is, the pinging is using public ip. and yes its RFC 1918 adddress space (Malaysia range IP). Thanks for your valuable info.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents