Cisco VPN Client & ICMP Unreachable

admin_2 · ‎05-27-2004

Hi there,

We have a PIX 515E firewall with IPSEC VPN (UDP) enabled on interface outside. We noticed recently that one of our vendors which is connected to the VPN and transmitting large amounts of ICMP protocol unreachable traffic. This happened when only when the vendor is connected using Cisco VPN Client v4.02

It looks to us like a flood of ICMP protocol unreachable packets directed to the firewall's outside interface IP address. Any of you guys seen this before. What could be the cause of it ?

ehirsel · ‎05-28-2004

Can you post some of the messages here? I am not aware of any issues with many icmp unreachables using the vpn client.

My only thought right now is if the vpn client has the intgrated firewall turned on, and is using ftp in port mode, not passive, the firewall is blocking the ftp data connection in resonse to a request (dir, get/put, etc) to an ftp command over the control channel. It could be the ftp generating those icmp unreachables.

One ohter question: Are you eanbling split-tunneling on the vpn connections?

Report Inappropriate Content · ‎05-31-2004

Ok, here it is:

Denied ICMP type=3, code=2 from xxx.xxx.xxx.xxx on interface 0

313001: Denied ICMP type=3, code=2 from xxx.xxx.xxx.xxx on interface 0

Have replaced the actual IP with xxx for confidentiality purpose.

I did not enable split tunnelling. The vpn client's integrated firewall is not turned on either.

ehirsel · ‎06-01-2004

The pix detects the icmp on the interface, but the target of the icmp message may be an internal host.

Is the target expecting the client to use GRE/PPTP?

The code=3 type=2 means that an ip protocol frame, other than tcp or udp, was sent - in this case to the vpn client and it is reporting back that there is no other ip protocol in use.

What is the target systems that the vpn client is supposed to connect to?