Setting icmp unreachables limit - ASA

Setting icmp unreachables limit - ASA
NewsGroups | Search | Tools
User Password
Register Now! Lost Password?
 comp.dcom.sys.cisco  Post an article  get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content  add this group's latest topics to your Google content  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
Setting icmp unreachables limit - ASA Pseto 06-11-2008
Posted by Pseto on June 11, 2008, 10:13 am
If you were  Registered and logged in, you could reply and use other advanced thread options
How to set up icmp unreachable limit in ASA (Software Version 7.0(6))? I
tried with icmp unreachable rate-limit command, but it seems that this
command is not supported on my ASA.
The reason I want to change defaults is that I want my ASA generates such
messages a little bit faster because I believe that default value causes
some problems with specific connections.

regards


Pure Networks
Posted by Andrey Tarasov on June 11, 2008, 12:48 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Pseto wrote:
> How to set up icmp unreachable limit in ASA (Software Version 7.0(6))? I
> tried with icmp unreachable rate-limit command, but it seems that this
> command is not supported on my ASA.
> The reason I want to change defaults is that I want my ASA generates
> such messages a little bit faster because I believe that default value
> causes some problems with specific connections.

Do you mind to describe what kind of connections are those? I can think
of the only scenario where ICMP unreachables are used - path MTU
discovery. And ASA (as PIX) has sysopt command to lower MSS. If I
remember correctly it's 1300 by default.

Regards,
Andrey.

Posted by Pseto on June 12, 2008, 4:00 am
If you were  Registered and logged in, you could reply and use other advanced thread options
it's Cisco VPN client behind my ASA that needs to connect to the LAN behind
Cisco 851 router with EasyVPN server on it. This 851 router is connected to
the Internet with PPPoE. I manage to establish vpn client successfully with
tens of other easy vpn servers (not connected with pppoe), but this one. On
the other side, I can establish connection with this pppoe vpn server if the
client is behind Linksys broadband router with pppoe connection... So, I
believe it has to be MTU issue. Since it's about udp connection I don't see
how mss would help.
Inspecting traffic with wireshark I noticed the following: sending ping
(with df set) packets exceeding MTU value of outside ASA interface forces
ASA to send unreachables, but it sends maybe one or two unreachable packets
per minute. Maybe vpn client connection time out interval is too short, so
it don't see unreachables and cannot perform pmtud.




Posted by Pseto on June 13, 2008, 10:33 am
If you were  Registered and logged in, you could reply and use other advanced thread options
It appears that after all problem lies somewhere in my ISP network. I just
plugged my laptop instead of ASA right behind ISP router and vpn connection
still does not work?! ;)

regards


> How to set up icmp unreachable limit in ASA (Software Version 7.0(6))? I
> tried with icmp unreachable rate-limit command, but it seems that this
> command is not supported on my ASA.
> The reason I want to change defaults is that I want my ASA generates such
> messages a little bit faster because I believe that default value causes
> some problems with specific connections.
>
> regards
>


Similar ThreadsPosted
Setting ip icmp rate-limit January 17, 2006, 1:39 pm
Pings and PIX messages 302020: Built ICMP - 302021: Teardown ICMP Lots of them.... May 1, 2006, 2:40 pm
IP SLA - ICMP June 5, 2008, 3:55 am
ICMP ACL Problem August 25, 2004, 2:38 am
icmp weirdness - PIX 501 (does any really mean any??) September 23, 2005, 7:12 am
timestamp ICMP ? April 16, 2006, 11:45 pm
ICMP pinging. October 3, 2006, 7:22 am
PIX 501 - allow icmp out but deny everything else out November 18, 2006, 1:49 am
PIX 6.3.4 - I have question on a VPN setup & ICMP August 26, 2005, 11:08 am
PIX7.x/ASA and icmp redirects April 19, 2006, 12:30 am

other useful resources:
The Federal Communications Commission (FCC)
Telecommunications Industry Association
Electronic and Software Security Products and Services
International Telecommunication Union

Custom CGI Perl and PHP programming by 1-Script.com

Contact Us | Privacy Policy
The site map in XML format XML site map