[c-nsp] ICMP unreachable packets handling on IOS firewall (Zone-based not CBAC)
Anthony GUENEAU
anthony.gueneau at gmail.com
Tue Apr 28 15:56:45 EDT 2009
Hello,
I recently configured a Cisco 3825 router with the IOS firewall, running
Zone-based Policy Firewall feature.
I'm experiencing the following issue:
ICMP unreachable packets, with code 4 (Fragmentation required, and DF flag
set), passing through the fw-router are properly processed at the router
layer (watched with debug ip packet) BUT seem to be completely ignored at
the firewall/inspection layer! No match, no logging.
Is it a regular behavior on IOS firewall ? If yes, I would like to know how
to work around this issue.
Indeed, because of that, ICMP unreachable packets do not reach the initial
sender (asking him to fragment) and some TCP flows passing through the
fw-router hang.
Any help would be very welcome J
Many thanks!
Anthony
More information about the cisco-nsp
mailing list