GFI Software

Welcome to the GFI Software community forum! For support please open a ticket from https://support.gfi.com.

Home » GFI User Forums » Kerio Control » Ping replies being dropped after 7.4.1 Upgrade (Kerio not allowing remote pinging)
Ping replies being dropped after 7.4.1 Upgrade [message #97271] Thu, 27 December 2012 17:19 Go to next message
bryancoley is currently offline  bryancoley
Messages: 2
Registered: December 2012
Location: London
Hi there,
Since upgrading all 7 of my Kerio control's to version 7.4.1 Build 5051, I am getting Ping timeouts to all devices at remote offices, I only get a response if I RDP onto the box, I get a reply whilst connected via RDP and then a few minutes after disconnecting, I lose connection again.

After going through the debug logs, the request seems to be fine going to the remote client, but then this is dropped on the far end Kerio with the following - {pktdrop} packet dropped: Incorrect ICMP echo reply direction (from Bxxx PWAN, proto:ICMP, len:60, 126.4.0.4 -> 192.168.150.150, type:0 code:0)

I have separate ADSL routers at each site with their respective addresses ending in .7 - I am able to partially get around this by adding static routes to the Windows devices to use the local ADSL router as a gateway for traffic to the remote site. This only works for the Windows devices and will not work for the printers etc on my network.

This uses to work fine before upgrading my 7 Kerio boxes, so am not sure what else I can try. Does anyone have any ideas as apparently Kerio has tied down the security on ICMP traffic on their last update.

[Updated on: Thu, 27 December 2012 17:33]

Report message to a moderator

Re: Ping replies being dropped after 7.4.1 Upgrade [message #101722 is a reply to message #97271] Fri, 19 April 2013 18:19 Go to previous messageGo to next message
paja is currently offline  paja
Messages: 9
Registered: April 2013
did you find the solution for your problem? It looks I'm on the same boat, but I didnt ask for tech support yet.
Re: Ping replies being dropped after 7.4.1 Upgrade [message #101753 is a reply to message #97271] Mon, 22 April 2013 05:12 Go to previous messageGo to next message
mlee (Kerio)
Messages: 211
Registered: October 2012
Location: Sydney
Hello,

Bryan contacted tech support and the issue was resolved.

Please turn on "Packet dropped for some reason" in the debug log and post anything unusual. If the issue is similar you should be able to see entries related to "3-way handshake".

Please post what you see thanks.


PTSD. BP. OCD. ASPD. BPD. Certified.
Re: Ping replies being dropped after 7.4.1 Upgrade [message #101758 is a reply to message #101753] Mon, 22 April 2013 08:18 Go to previous messageGo to next message
paja is currently offline  paja
Messages: 9
Registered: April 2013
[22/Apr/2013 08:00:25] {pktdrop} packet dropped: Incorrect ICMP echo reply direction (from LAN 1 - local traffic, proto:ICMP, len:60, 192.168.1.26 -> 10.250.35.83, type:0 code:0)

It corresponds exactly what I tracked down via tcpdump. The "Echo request" is coming from source station via 192.168.1.10 to the target station 192.168.1.26, it replies via default route to Kerio GW 192.168.1.1, which has to route the packet back to 192.168.1.10, but due to the packet drop it never happens. This behaviour is valid just for ICMP traffic, TCP is working correctly. 3way handshake in winroute.cfg file is set to "0".
When I try to ping the remote station from 192.168.1.26, the routing local cache is updated and pings start to work temporary.
Re: Ping replies being dropped after 7.4.1 Upgrade [message #101802 is a reply to message #101758] Tue, 23 April 2013 01:04 Go to previous messageGo to next message
mlee (Kerio)
Messages: 211
Registered: October 2012
Location: Sydney
Within the same table, would you like to check the value RequireIcmpFlowControl?

If it is 1, would you please change it to 0 and restart kerio Control.

Regards,
M.


PTSD. BP. OCD. ASPD. BPD. Certified.
Re: Ping replies being dropped after 7.4.1 Upgrade [message #101811 is a reply to message #101802] Tue, 23 April 2013 08:45 Go to previous messageGo to next message
paja is currently offline  paja
Messages: 9
Registered: April 2013
I don't have this variable name inside my winroute.cfg file. Do u mean table Firewall? Should I add the variable?
Re: Ping replies being dropped after 7.4.1 Upgrade [message #101812 is a reply to message #101811] Tue, 23 April 2013 08:54 Go to previous messageGo to next message
mlee (Kerio)
Messages: 211
Registered: October 2012
Location: Sydney
Mind if I ask which version of Kerio Control are you running? And Operating System?

PTSD. BP. OCD. ASPD. BPD. Certified.
Re: Ping replies being dropped after 7.4.1 Upgrade [message #101815 is a reply to message #101812] Tue, 23 April 2013 09:08 Go to previous messageGo to next message
paja is currently offline  paja
Messages: 9
Registered: April 2013
Kerio Control 7.4.1 build 5051
Operating System Windows Server 2003
Re: Ping replies being dropped after 7.4.1 Upgrade [message #101816 is a reply to message #101815] Tue, 23 April 2013 09:26 Go to previous messageGo to next message
mlee (Kerio)
Messages: 211
Registered: October 2012
Location: Sydney
If I remember correctly ICMP Flow Control was introduced in version 8, and this version unfortunately does not support native Windows installation.

PTSD. BP. OCD. ASPD. BPD. Certified.
Re: Ping replies being dropped after 7.4.1 Upgrade [message #101819 is a reply to message #101816] Tue, 23 April 2013 09:50 Go to previous messageGo to next message
rjokl is currently offline  rjokl
Messages: 62
Registered: August 2005
7.4.2 have it too
Re: Ping replies being dropped after 7.4.1 Upgrade [message #101820 is a reply to message #101819] Tue, 23 April 2013 09:53 Go to previous messageGo to next message
paja is currently offline  paja
Messages: 9
Registered: April 2013
Thx, I'll play with it after our business hours.
Re: Ping replies being dropped after 7.4.1 Upgrade [message #101835 is a reply to message #97271] Tue, 23 April 2013 14:34 Go to previous messageGo to next message
bryancoley is currently offline  bryancoley
Messages: 2
Registered: December 2012
Location: London
Hi All,

Luckily there is a very easy fix for this. It took a whilst, but the option to disable the ICMP reply issue was only addressed in version 8.0.0

I have done this on 9 of my boxes and it is working fine.

1. Export the configuration of your Control(s)
2. Extract the zip file and edit the winroute.cfg file (I recommend to use Total Commander as it can update the file inside the tar.gz)
3. Locate following options by doing a text search for 'ICMP'
4. These options controls the packet flow through the Kerio Control. One is for TCP connections (3WayHanshake) and the other one is for ICMP (pings for example). Change value of the RequireIcmpFlowControl to 0 in order to disable it.
5. Save the changes and update the archive.
6. Import the configuration file back to your Control Appliance / Box
Re: Ping replies being dropped after 7.4.1 Upgrade [message #101849 is a reply to message #101835] Tue, 23 April 2013 16:23 Go to previous messageGo to next message
paja is currently offline  paja
Messages: 9
Registered: April 2013
Yes, but version 8.x runs only on Linux based HW or VMs. Or did I miss something?
Re: Ping replies being dropped after 7.4.1 Upgrade [message #101897 is a reply to message #101849] Wed, 24 April 2013 13:47 Go to previous messageGo to next message
paja is currently offline  paja
Messages: 9
Registered: April 2013
Problem solved. Upgrade to 7.4.2 (last version for native Windows env.) and RequireIcmpFlowControl set to "0" in winroute.cfg file
Thanks go to all helpers.
Re: Ping replies being dropped after 7.4.1 Upgrade [message #101898 is a reply to message #101897] Wed, 24 April 2013 14:29 Go to previous messageGo to previous message
ajamali is currently offline  ajamali
Messages: 98
Registered: April 2007
Location: Syria
paja wrote on Wed, 24 April 2013 13:47
Problem solved. Upgrade to 7.4.2 (last version for native Windows env.) and RequireIcmpFlowControl set to "0" in winroute.cfg file
Thanks go to all helpers.


could you please describe your problem, I just want make sure if I have same issue before disable RequireIcmpFlowControl

BR,
Previous Topic: Kerio Control Problem With CISCO 7941G IP Phone
Next Topic: Howto selectively bypass ads filter
Goto Forum:
  


Current Time: Thu Jun 08 02:46:03 CEST 2023

Total time taken to generate the page: 0.02501 seconds