cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5670
Views
0
Helpful
10
Replies

icmp port unreachable

dfridman
Level 1
Level 1

hi, i have one catalysts 6509 with 2 supervisors and 2 msfc cards.

i have a problem with my citrix farm, when i configure IP HELPER to a direct address that dont respond to port udp 1604 (the broadcast that citrix works with) like: "IP-HELPER 10.10.40.20" ,i get in my sniffer the announcment:

"ICMP PORT UNREACHABLE" from this address when i use citrix.

only when i open IP HELPER to a network like: "IP-HELPER 10.10.255.255", i dont get those icmp messeges and the citrix works ok.

my question is how can i use ip helper to a direct address without getting those icmp messeges because with those messeges the citrix farm does not work ok ?

or how can i use citrix with those IP HELPERS to a directed address ?

thank you for your help,

david.

10 Replies 10

rjackson
Level 5
Level 5

Sounds like you had the wrong ip address in the helper statements. The unreachable message is coming from a host saying it does not support that port. Is it coming from 10.10.40.20? When you use 10.10.255.255 what host is answering the udp requests?

hi, i know the addrsess 10.10.40.20 is not listening to port-udp-1604 of the citrix but i need it to other services because it is my W2K-DOMAIN-CONTROLLER. thr address that answer to the IP-HELPER 10.10.255.255 is the address 10.4.1.50 that is in the same vlan of the cirix farm.

when i use the directed ip helper command i get those icmp messeges from the ones that i configure in the ip helper command.

i need the directed ip helper command so the citrix farm will get all the services from the 10.10.40.20 but i dont want to open Broadcast to all the subnet of 10.10.255.255 .

thank you for your time,

david.

bazauas
Level 1
Level 1

The UDP destination port must be for TFTP, Domain Name System (DNS), Time, NetBIOS, ND, BOOTP or DHCP packet, or a UDP port specified by the ip forward-protocol udp global configuration command.

You get icmp pot unreacheables when the port you are trying to access is not available.

Are you sure that 10.10.40.20 is listening on the right UDP ports?

BB.

The address 10.10.40.20 is not listening to the right port udp of the citrix (1604)

,but i need the IP-HELPER to this address because its my W2K-DOMAIN-CONTROLLER and the Vlan where the citrix server are need the domain controller for other services.

the problem is that the domain controller (10.10.40.20) answers to the

UDP-PORT-1604-BROADCAST of the citrix farm with ICMP-PORT-UNRECHABLE and its JAMMING all the citrix farm.

if i put the IP-HELPER 10.10.255.255 it is working ok,the station that need to answer to the udp-1604 is answering, but i dont want to put this configuration,

ip prefer the directed IP-HELPER.

so i need a way to block those messeges from 10.10.40.20.

thank you for your time,

david.

Try the global configuration command "no ip forward-protocol udp 1604" to constrain the router from forwarding UDP 1604 via helper-address commands.

The problem is that i need the router to forward udp port 1604 for other citrix application in other Vlans.

I know i can block it with access lists but i dont want to use it.

You state you have to have this Win2k domain controller in as a helper address, so we can't remove it. You state you don't want to send helper-address to the broadcast address of that server's subnet, which would work around the problem, since a server won't respond with a port-unreachable if the datagram is addressed to the broadcast address. You can't stop the router from forwarding datagrams on port 1604, because you're using that functionality. So, you want to block only return ICMP unreachable responses from the server, but you don't want to use an ACL, which would be the tool for that job.

The sum of it is that you've ruled out all potential ways to address the problem. One of your requirements is probably going to have to bend a little.

i used the ACL to block the ICMP unrechable response from the server and i activated the helper-address to the server. it is working without any problems.

did you ever encountered this kind of problem ?

this are the events of our failure:

originaly the citrix farm was in our main Vlan and one of the actions we took before we knew what causing the problem was to transfer the citrix farm to

a diffrent Vlan. I opend 5 ip helper-address in the main Vlan (before the transfer) direct to 5 servers and that caused the problem.

when we tested the farm on a diffrent Vlan we so that the farm is working ok, just untill we added the IP HELPPER-ADDRESS command to specific servers on the new Vlan.

thank you for your time,

david.

azharsoomro
Level 1
Level 1

Hi:

Plz check you have ip forward-protocol udp command as well, as you need this command with ip-helper address command as well.

Thanks

Azhar

Hi,

I have the IP FORWARD-PROTOCOL UDP 1604 command to forward the udp 1604 port across the router with the IP HELPER command.

david.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: