| Ping replies being dropped after 7.4.1 Upgrade [message #97271] |
Thu, 27 December 2012 17:19  |
bryancoley
Messages: 2
Registered: December 2012
Location: London
|
|
|
|
Hi there,
Since upgrading all 7 of my Kerio control's to version 7.4.1 Build 5051, I am getting Ping timeouts to all devices at remote offices, I only get a response if I RDP onto the box, I get a reply whilst connected via RDP and then a few minutes after disconnecting, I lose connection again.
After going through the debug logs, the request seems to be fine going to the remote client, but then this is dropped on the far end Kerio with the following - {pktdrop} packet dropped: Incorrect ICMP echo reply direction (from Bxxx PWAN, proto:ICMP, len:60, 126.4.0.4 -> 192.168.150.150, type:0 code:0)
I have separate ADSL routers at each site with their respective addresses ending in .7 - I am able to partially get around this by adding static routes to the Windows devices to use the local ADSL router as a gateway for traffic to the remote site. This only works for the Windows devices and will not work for the printers etc on my network.
This uses to work fine before upgrading my 7 Kerio boxes, so am not sure what else I can try. Does anyone have any ideas as apparently Kerio has tied down the security on ICMP traffic on their last update.
[Updated on: Thu, 27 December 2012 17:33] Report message to a moderator |
|
|
|
|
|
| Re: Ping replies being dropped after 7.4.1 Upgrade [message #101753 is a reply to message #97271] |
Mon, 22 April 2013 05:12  |
mlee (Kerio)
Messages: 211
Registered: October 2012
Location: Sydney
|
|
|
|
Hello,
Bryan contacted tech support and the issue was resolved.
Please turn on "Packet dropped for some reason" in the debug log and post anything unusual. If the issue is similar you should be able to see entries related to "3-way handshake".
Please post what you see thanks.
PTSD. BP. OCD. ASPD. BPD. Certified.
|
|
|
|
| Re: Ping replies being dropped after 7.4.1 Upgrade [message #101758 is a reply to message #101753] |
Mon, 22 April 2013 08:18 |
paja
Messages: 9
Registered: April 2013
|
|
|
|
[22/Apr/2013 08:00:25] {pktdrop} packet dropped: Incorrect ICMP echo reply direction (from LAN 1 - local traffic, proto:ICMP, len:60, 192.168.1.26 -> 10.250.35.83, type:0 code:0)
It corresponds exactly what I tracked down via tcpdump. The "Echo request" is coming from source station via 192.168.1.10 to the target station 192.168.1.26, it replies via default route to Kerio GW 192.168.1.1, which has to route the packet back to 192.168.1.10, but due to the packet drop it never happens. This behaviour is valid just for ICMP traffic, TCP is working correctly. 3way handshake in winroute.cfg file is set to "0".
When I try to ping the remote station from 192.168.1.26, the routing local cache is updated and pings start to work temporary.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Re: Ping replies being dropped after 7.4.1 Upgrade [message #101835 is a reply to message #97271] |
Tue, 23 April 2013 14:34 |
bryancoley
Messages: 2
Registered: December 2012
Location: London
|
|
|
|
Hi All,
Luckily there is a very easy fix for this. It took a whilst, but the option to disable the ICMP reply issue was only addressed in version 8.0.0
I have done this on 9 of my boxes and it is working fine.
1. Export the configuration of your Control(s)
2. Extract the zip file and edit the winroute.cfg file (I recommend to use Total Commander as it can update the file inside the tar.gz)
3. Locate following options by doing a text search for 'ICMP'
4. These options controls the packet flow through the Kerio Control. One is for TCP connections (3WayHanshake) and the other one is for ICMP (pings for example). Change value of the RequireIcmpFlowControl to 0 in order to disable it.
5. Save the changes and update the archive.
6. Import the configuration file back to your Control Appliance / Box
|
|
|
|
|
|
|
|
| Re: Ping replies being dropped after 7.4.1 Upgrade [message #101898 is a reply to message #101897] |
Wed, 24 April 2013 14:29 |
ajamali
Messages: 98
Registered: April 2007
Location: Syria
|
|
|
|
paja wrote on Wed, 24 April 2013 13:47Problem solved. Upgrade to 7.4.2 (last version for native Windows env.) and RequireIcmpFlowControl set to "0" in winroute.cfg file
Thanks go to all helpers.
could you please describe your problem, I just want make sure if I have same issue before disable RequireIcmpFlowControl
BR,
|
|
|
|
Members
Search
Help
Register
Login
Home
