Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8998
Views
44
Helpful
45
Replies

What does ICMP message (11,1) mean?

Go to solution
jgtheodor
Level 1
Level 1

‎12-03-2009 12:49 AM - edited ‎03-04-2019 06:52 AM

Hi,

I am working in a DMVPN environment with two HUB and 25 Spoke routers. There are mGRE tunnels everywhere with the same basic configuration. There are also attached in WAN Serial & ADSL interfaces Extended Access Lists permitting only the esp and ISAKMP (udp 500) packets. Every day in the Primary HUB router I see the following log messages:

 
Dec 03 08:52:57 172.16.250.2 2528762: Dec  3 08:52:44.143: %SEC-6-IPACCESSLOGDP: list WAN denied icmp 10.195.35.30 -> 192.168.192.1 (11/1), 13 packets 
Dec 03 08:52:57 172.16.250.2 2528763: Dec  3 08:52:44.143: %SEC-6-IPACCESSLOGDP: list WAN denied icmp 10.195.35.26 -> 192.168.192.1 (11/1), 8 packets 
Dec 03 08:52:57 172.16.250.2 2528764: Dec  3 08:52:44.143: %SEC-6-IPACCESSLOGDP: list WAN denied icmp 10.195.35.82 -> 192.168.192.1 (11/1), 1 packet 
Dec 03 08:53:57 172.16.250.2 2528765: Dec  3 08:53:44.148: %SEC-6-IPACCESSLOGDP: list WAN denied icmp 10.195.35.78 -> 192.168.192.1 (11/1), 8 packets

The source IP Addresses are the WAN IP addresses of all Spoke routers and the IP address 192.168.192.1 is the Loopback IP address of Primary HUB router. Similar log messages I see in every Spoke router, with source IP Address the Primary HUB WAN Interface and destination IP Addresses the Loopback IP Addresses of all other Spoke routers. As far I know there is no any fragmentation issue, and everything works fine. But the answer remains:

Where these ICMP packets come from?

Can anyone help me answer this question?

Thanks in advance!

Labels:
0 Helpful
45 Replies 45

Go to solution
marikakis
Level 7
Level 7
In response to Giuseppe Larosa

‎12-20-2009 01:15 AM

Yeah Mike, good job! May the Greek Gods be with you! You have also managed to make Giuseppe throw a good joke! Giuseppe is typically very professional and serious. You couldn't help yourself Giuseppe this time, could you? 

I just wanted to say to John that this is a forum of volunteers and such treatment cannot normally be expected, although it can happen as we have seen. Next time John, try to push more your representatives supposed to resolve such issues for you. Pushing other engineers is not an engineer's favorite kind of task, but sometimes a man's gotta do what a man's gotta do! As I have said in a previous post, sometimes tactics help resolve issues better than knowledge and debugging.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card