Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

too many ICMP Unreachable/exceeded

Hi there,

I have a problem here pix 506e, and my network are slow to death this 3 days, when i terminal monitor it (debugging mode) i saw there were a lot of icmp unreachable and exceeded coming from unknown ip, over 30 different ip detected. but that suppose to be information IDS right?not that kind of attack. Any possible cause of this problem?

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions

Re: too many ICMP Unreachable/exceeded

Hello, there can be many reasons.

Are you sure there is no worm in your network?

ICMP unreachable means that you sent an IP packet to a machine, which does not have the TCP/UDP port open. That can be the result of a worm scanning IP ranges for vulnerabilities and internet hosts answering.

ICMP time exceeded can occur after a traceroute or because of IP routing loops. There is nothing you can do about loops in the internet.

Hope this helps! Please rate all posts.

Regards, Martin

4 REPLIES

Re: too many ICMP Unreachable/exceeded

Hello, there can be many reasons.

Are you sure there is no worm in your network?

ICMP unreachable means that you sent an IP packet to a machine, which does not have the TCP/UDP port open. That can be the result of a worm scanning IP ranges for vulnerabilities and internet hosts answering.

ICMP time exceeded can occur after a traceroute or because of IP routing loops. There is nothing you can do about loops in the internet.

Hope this helps! Please rate all posts.

Regards, Martin

New Member

Re: too many ICMP Unreachable/exceeded

Hi,

Thanks for your reply.

I have 5 VPN connections to our main office here (pix-to-pix) suppose one of the pc at the remote site being infected by worm, can the worm do that type of pinging to our main firewall here?

Re: too many ICMP Unreachable/exceeded

It could be the case. Based on the information given it is only one option of several. It could be normal internet traffic and mere coincidence that you have performance problems.

Can you check the remote PCs? Is the traffic in question originated through the tunnel? Are the IPs in the internet or in RFC 1918 IP address space?

REgards, Martin

New Member

Re: too many ICMP Unreachable/exceeded

Hello Martin,

I notice that some of the IP are coming from VPN tunnel (show isakmp sa), but the weird thing is, the pinging is using public ip. and yes its RFC 1918 adddress space (Malaysia range IP). Thanks for your valuable info.

121
Views
0
Helpful
4
Replies