Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1087
Views
5
Helpful
5
Replies

c2921 router uncommanded icmp packets transmitted

Go to solution
bryantsteve
Level 1
Level 1

‎03-28-2019 12:44 PM

C2921 router interface  with no routing protocols (using only static routes)  has ipv6 configured,  no IP redirects and no IP unreachables,  globally vstack is disabled,  IOS version 15.5(3)M8,   interface is sending out icmp packets, I can't determine how or why the router is behaving this way, does anyone have an idea why this would be happening and what action I can take to stop it. Thanks    

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni
In response to bryantsteve

‎03-28-2019 08:51 PM

HI,

The  ICMP type 11 code 0 is TTL Expire packet and code 0 may be received from a gateway. If it is in less amount of traffic then you can ignore because this may possibly as routing loop on destination network anywhere, Sender is trying with less TTL count,   

 

If you are looking a massive amount of traffic then it may an attack on your network. The purpose of this attack to make busy your router and get an unauthorized entry in your network.

https://www.cisco.com/c/en/us/about/security-center/ttl-expiry-attack.html

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

View solution in original post

5 Replies 5

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-28-2019 01:46 PM

Can you pelase show us your configuration and give some example logs what show what kind if ICMP messaging going out, using what source IP and where destination ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
bryantsteve
Level 1
Level 1
In response to balaji.bandi

‎03-28-2019 02:07 PM

x.x.x.30 is the c2921 router interface. The following log is from the next hop border router, the indication that something iwas amiss came from IDS monitoring, I applied this filtering  ACL  on the border router gateway interface to gain visibility...

I'm not sure at this point how the  the target IPs are being determined by the router 

   

Mar 28 20:50:48.756 UTC: %FMANFP-6-IPACCESSLOGDP: SIP0: fman_fp_image: list sicmp filter denied icmp X.X.X..30 -> y.y.y.y  (11/0), 1 packet
Mar 28 20:50:51.237 UTC: %FMANFP-6-IPACCESSLOGDP: SIP0: fman_fp_image: list icmp filter  denied icmp 198.91.71.30 -> z.z.z.z (11/0), 1 packet

 

interface GigabitEthernetx/x

ip address x.x.x.30 255.255.255.192
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
ipv6 address xxxx:xxx:xxx:xxxxx::30/64
ipv6 enable
ipv6 nd ra suppress
no ipv6 redirects
no ipv6 unreachables

 

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to bryantsteve

‎03-28-2019 03:11 PM

Hi, ICMP Type 11/Code 0 - is TTL exceeded - When using traceroute, each hop sends a TTL exceeded message upon TTL expiring, identifying each hop in the path.

HTH
0 Helpful

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni
In response to bryantsteve

‎03-28-2019 08:51 PM

HI,

The  ICMP type 11 code 0 is TTL Expire packet and code 0 may be received from a gateway. If it is in less amount of traffic then you can ignore because this may possibly as routing loop on destination network anywhere, Sender is trying with less TTL count,   

 

If you are looking a massive amount of traffic then it may an attack on your network. The purpose of this attack to make busy your router and get an unauthorized entry in your network.

https://www.cisco.com/c/en/us/about/security-center/ttl-expiry-attack.html

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Go to solution
bryantsteve
Level 1
Level 1
In response to Deepak Kumar

‎04-02-2019 08:08 AM

Thanks. I'll work on trying to figure out what might be causing the routing loops.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card