This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ICMP packets with invalid ICMP type/code

MMASLOUH over 4 years ago

Hello,

im trying to connect two data centers on different sites via Lan to lan network, each site has its own XG 230 device.

This is my VMware lab setup.

Diagram4-v-Mware hosted at ImgBB

ImgBB

Image Diagram4-v-Mware hosted in ImgBB

The ping from 192.168.1.1 to 192.168.2.11 works well, but the ping from 192.168.2.11 to 192.168.1.1 blocked from the XG 192.168.1.254.

I got "ICMP packets with invalid ICMP type/code" error in console.

Test 1 : Ping 192.168.1.1 to 192.168.2.11 ( Test OK ):

XG1-1 hosted at ImgBB

ImgBB

Image XG1-1 hosted in ImgBB

XG1-2 hosted at ImgBB

ImgBB

Image XG1-2 hosted in ImgBB

Test 2 : Ping 192.168.2.11 to 192.168.1.1 ( Test Failed ):

XG2-1 hosted at ImgBB

ImgBB

Image XG2-1 hosted in ImgBB

XG2-2 hosted at ImgBB

ImgBB

Image XG2-2 hosted in ImgBB

Results from Sophos XG A:

Screenshot-2021-04-18-https-192-168-219-120 hosted at ImgBB

ImgBB

Image Screenshot-2021-04-18-https-192-168-219-120 hosted in ImgBB

This thread was automatically locked due to age.

Top Replies

LuCar Toni over 4 years ago in reply to MMASLOUH +2

Thats a typical Network issue. There is nothing wrong about the XG. The Client sends its request to the default gateway. The default Gateway is not the responsible router for this. And as the device needs…

0 rfcat_vk over 4 years ago

Hi,

have you enabled ping on both interfaces? Does you rule allow ping (icmp)?
ian

XGS118 - v21.5.0

XG115 converted to software licence v21.5.0

If a post solves your question please use the 'Verify Answer' button.
- 0 MMASLOUH over 4 years ago in reply to rfcat_vk
  
  Hi rfcat_vk
  
  Ping is enable in lab on both devices.
0 LuCar Toni over 4 years ago

Why does your Switch route the traffic via step4? Am i missing something? The XG on the right site will not loop this packet back, as it would cause asymmetrical routing.

__________________________________________________________________________________________________________________
- 0 MMASLOUH over 4 years ago in reply to LuCar Toni
  
  Hi Lucar,
  
  Please check my real lab picture. i have updated the poste.
  
  Thanks.
- 0 MMASLOUH over 4 years ago in reply to LuCar Toni
  
  Ping 192.168.2.11 -> 192.168.2.254 : OK
  
  Ping 192.168.2.11 -> 192.168.1.253 : OK
  
  Ping 192.168.2.11 -> 192.168.1.254 : OK
  
  Ping 192.168.2.11 -> 192.168.1.1 : Failed ( the replay from 192.168.1.1 received by XG VM A and blocked )
  
  ping 192.168.1.1 -> 192.168.1.254 : OK
  
  ping 192.168.1.1 -> 192.168.1.253 : OK
  
  ping 192.168.1.1 -> 192.168.2.254 : OK
  
  ping 192.168.1.1 -> 192.168.2.11 : OK ( Host 192.168.1.1 send ICMP Request to its GW (192.168.1.254), the gateway forward the ICMP request to XG B (192.168.1.253) based on the static route. The host 192.168.2.11 send the replay via it's gateway (192.168.2.254), the host 192.168.1.1 receive the replay directly from XG B (192.168.1.253)).
0 MMASLOUH over 4 years ago

Hi,

When i was checking the multicast forwarding option, i enabled this option for 2 minutes but nothing happens.

After disabling the multicast forwarding on both XG or just in XG VM (A), the host (192.168.2.11) has reached the host (192.168.1.1).

but if i tried to ping to another host in 192.168.1.0 network from 192.168.2.0 network, it fail again.

i have to enable and disable the multicast forwarding on both XG VMs every time.

XG VM (A) stop drop the ICMP Replay.
- 0 LuCar Toni over 4 years ago in reply to MMASLOUH
  
  Thats a typical Network issue. There is nothing wrong about the XG. The Client sends its request to the default gateway. The default Gateway is not the responsible router for this. And as the device needs to reroute this again to the same network, it will fail. You could resolve this by activating NAT(SNAT) on XG1. This will resolve this, as XG1 will nat the traffic via 253. Hence the client will answer to 253 and it will work. The back route is not possible. Thats not resolvable by multicast.
  
  __________________________________________________________________________________________________________________
  - 0 MMASLOUH over 4 years ago in reply to LuCar Toni
    
    Hello LuCar Toni
    
    But why the ping from host 192.168.1.1 to host 192.168.2.11 goes well, the host send the icmp requests to the gateway XG A and the XG A route the traffic on the same network to XG B who forward the packets to host 192.168.2.11.
  - 0 LuCar Toni over 4 years ago in reply to MMASLOUH
    
    You should not mix "working" vs "allowed".
    
    ICMP is a stateless protocol. The packet could be allowed and send back by the client directly.
    
    You need to perform the tcpdump, likely it will proof my point.
    
    __________________________________________________________________________________________________________________
  - 0 MMASLOUH over 4 years ago in reply to LuCar Toni
    
    i'm sorry i didn't get your point.
    
    This is the tcpdump of a successful ping from 192.168.1.1 to 192.168.2.11. but if i send a ping from 192.168.2.11 to 192.168.1.1 the XG A drop the host 192.168.1.1 ICMP replays.
    
    So, i'm still trying to understand why XG A reroute host 192.168.1.1 ICMP requests to XG B, but when i reverse the ping it drop the icmp replays of host 192.168.1.1 instead of reroute them to XG B.
    
    ##
    
    PING 192.168.1.1 -> 192.168.2.11 (OK)
    
    #
    Host 192.168.1.1 ==(ICMP Request)==> 192.168.1.254(XG A) ==(route to XG B) ==> 192.168.1.253 ====> Host 192.168.2.11
    
    Host 192.168.2.11 ==(ICMP Replay)==> 192.168.1.253 ====> Host 192.168.1.1
    
    ##
    
    PING 192.168.2.11 -> 192.168.1.1 (Fail)
    
    #
    
    Host 192.168.2.11 ==(ICMP Reques)==> (192.168.2.254 / 192.168.1.253) ====> Host 192.168.1.1
    
    Host 192.168.1.1 ==(ICMP Replay)==> 192.168.1.254(XG A) ====> Drop
    
    ##
    
    Thanks for your time.
  - 0 LuCar Toni over 4 years ago in reply to MMASLOUH
    
    You dont see the issue in your Setup?
    
    The XG B sends the ICMP Reply directly to the Client. Thats a big no no for networker.
    
    It causes a big issue with your setup in the long run. For a stateless protocol like ping, this is not a problem. As the Client simply does not care, that the packets a coming from someone completely different. But TCP protocols will likely see problems.
    
    To get this working, you need to MASQ on XGA.
    
    __________________________________________________________________________________________________________________
  - 0 MMASLOUH over 4 years ago in reply to LuCar Toni
    
    but ICMP and TCP only care about IP Addresses, and i don't see the problem with the Ethernet header change, because the packed kept the source and the destination IPs.
    
    i will be okay with you if you said that you can't reroute incoming and outgoing packet on the same interface. But it's work well when i send ping from 192.168.1.1 to 192.168.2.11, the XG A reroute the icmp request on same interface to XG B.
  - 0 LuCar Toni over 4 years ago in reply to MMASLOUH
    
    You can start to force XG to forward this traffic but i guess, you will run into more and more issues later. Never was this setup a good idea in the first place. https://networkguy.de/the-problems-with-asynchronous-routing/
    
    SD-WAN PBR can be applied to this traffic to route this never the less.
    
    BTW: The better is to activate MASQ on both XGs, which masq the traffic, which result in a healthy flow.
    
    BTW:
    
    __________________________________________________________________________________________________________________
  - 0 MMASLOUH over 4 years ago in reply to LuCar Toni
    
    Now i get it
    
    I will try with MASQ.
    
    thank you LuCar Toni