Hello World,
I'm having another weird issue. I'm running SFVH (SFOS 18.0.1 MR-1-Build396)
I am able to ping from behind another Layer 3 device that is hanging off the switch connected to the internal interface of the firewall. However, i'm unable to ping from the devices that are directly connected behind the sophos firewall that are plugged into the same switch.
I'm getting the following error messages in Sophos. " Invalid Traffic - Denied - ICMP packets with invalid ICMP type/code."
So I checked the following which should allow this traffic.
console> show advanced-firewall
Strict Policy : on
FtpBounce Prevention : control
Tcp Conn. Establishment Idle Timeout : 10800
UDP Timeout :
UDP Timeout Stream : 60
Fragmented Traffic Policy : allow
Midstream Connection Pickup : off
TCP Seq Checking : on
TCP Window Scaling : on
TCP Appropriate Byte Count : off
TCP Selective Acknowledgements : on
TCP Forward RTO-Recovery[F-RTO] : off
TCP TIMESTAMPS : off
Strict ICMP Tracking : off
ICMP Error Message : allow
IPv6 Unknown Extension Header : deny
As you can see I have set ICMP error message to "ALLOW"
Not sure why the pings are failing.
See packet capture below showing the allowed ping's one way but rejected the other.
THE Failures - (I never see the request and wireshark shows NO RESPONSE FOUND!)
14:16:18.897165 Port1, IN: 34:e5:ec:fc:9d:10 > 00:1b:21:3a:e3:ac, ethertype IPv4 (0x0800), length 74: 10.1.1.5 > 10.1.1.13: ICMP echo reply, id 1, seq 13060, length 40
14:16:23.896578 Port1, IN: 34:e5:ec:fc:9d:10 > 00:1b:21:3a:e3:ac, ethertype IPv4 (0x0800), length 74: 10.1.1.5 > 10.1.1.13: ICMP echo reply, id 1, seq 13061, length 40
14:16:28.896844 Port1, IN: 34:e5:ec:fc:9d:10 > 00:1b:21:3a:e3:ac, ethertype IPv4 (0x0800), length 74: 10.1.1.5 > 10.1.1.13: ICMP echo reply, id 1, seq 13062, length 40
14:16:33.897164 Port1, IN: 34:e5:ec:fc:9d:10 > 00:1b:21:3a:e3:ac, ethertype IPv4 (0x0800), length 74: 10.1.1.5 > 10.1.1.13: ICMP echo reply, id 1, seq 13063, length 40
14:16:38.897510 Port1, IN: 34:e5:ec:fc:9d:10 > 00:1b:21:3a:e3:ac, ethertype IPv4 (0x0800), length 74: 10.1.1.5 > 10.1.1.13: ICMP echo reply, id 1, seq 13064, length 40
14:16:43.896858 Port1, IN: 34:e5:ec:fc:9d:10 > 00:1b:21:3a:e3:ac, ethertype IPv4 (0x0800), length 74: 10.1.1.5 > 10.1.1.13: ICMP echo reply, id 1, seq 13065, length 40
14:16:48.896997 Port1, IN: 34:e5:ec:fc:9d:10 > 00:1b:21:3a:e3:ac, ethertype IPv4 (0x0800), length 74: 10.1.1.5 > 10.1.1.13: ICMP echo reply, id 1, seq 13066, length 40
14:16:53.930391 Port1, IN: 34:e5:ec:fc:9d:10 > 00:1b:21:3a:e3:ac, ethertype IPv4 (0x0800), length 74: 10.1.1.5 > 10.1.1.13: ICMP echo reply, id 1, seq 13067, length 40
14:16:58.897004 Port1, IN: 34:e5:ec:fc:9d:10 > 00:1b:21:3a:e3:ac, ethertype IPv4 (0x0800), length 74: 10.1.1.5 > 10.1.1.13: ICMP echo reply, id 1, seq 13068, length 40
Working from the opposite direction
14:17:43.451644 Port1, IN: 34:e5:ec:fc:9d:10 > 00:1b:21:3a:e3:ac, ethertype IPv4 (0x0800), length 98: 10.1.1.5 > 10.1.1.13: ICMP echo request, id 1036, seq 4, length 64
14:17:43.451670 Port1, OUT: 00:1b:21:3a:e3:ac > 34:e5:ec:fc:9d:10, ethertype IPv4 (0x0800), length 126: 10.1.1.1 > 10.1.1.5: ICMP redirect 10.1.1.13 to host 10.1.1.13, length 92
14:17:43.451785 Port1, OUT: 00:1b:21:3a:e3:ac > 08:62:66:2d:89:b7, ethertype IPv4 (0x0800), length 98: 10.1.1.5 > 10.1.1.13: ICMP echo request, id 1036, seq 4, length 64
14:17:44.461738 Port1, IN: 34:e5:ec:fc:9d:10 > 00:1b:21:3a:e3:ac, ethertype IPv4 (0x0800), length 98: 10.1.1.5 > 10.1.1.13: ICMP echo request, id 1036, seq 5, length 64
14:17:44.461767 Port1, OUT: 00:1b:21:3a:e3:ac > 08:62:66:2d:89:b7, ethertype IPv4 (0x0800), length 98: 10.1.1.5 > 10.1.1.13: ICMP echo request, id 1036, seq 5, length 64
14:17:45.471596 Port1, IN: 34:e5:ec:fc:9d:10 > 00:1b:21:3a:e3:ac, ethertype IPv4 (0x0800), length 98: 10.1.1.5 > 10.1.1.13: ICMP echo request, id 1036, seq 6, length 64
14:17:45.471617 Port1, OUT: 00:1b:21:3a:e3:ac > 08:62:66:2d:89:b7, ethertype IPv4 (0x0800), length 98: 10.1.1.5 > 10.1.1.13: ICMP echo request, id 1036, seq 6, length 64
ANY HELP IS GREATLY APPRECIATED.
Ethernet headerSource MAC address:34:e5:ec:fc:9d:10Destination MAC address: 00:1b:21:3a:e3:acEthernet type IPv4 (0x800) IPv4 HeaderSource IP address:10.1.1.5Destination IP address:10.1.1.13Protocol: ICMPHeader:20 BytesType of service: 0Total length: 60 BytesIdentification:15487Fragment offset:0Time to live: 64Checksum: 10287 ICMP Header:Type: 0Code: 0Echo ID: 1Echo sequence: 13438Gateway: 0Fragmentation MTU: 0Checksum: 8413
Quote