Overview
This article shares the process of resolving the following error that shows in the debug logs when the 'Packets dropped for some reason' option is enabled under Filtering:
[14/Oct/2019 15:27:24] {pktdrop} packet dropped: Incorrect ICMP echo reply direction (from LAN, proto:ICMP, len:92, 192.168.0.4 -> 10.8.0.10, type:0 code:0 id:1 seq:117 ttl:128)
The debug logs may also show the following error:
[14/Oct/2019 15:25:24] {pktdrop} packet dropped: false ICMP redirect (to LAN, proto:ICMP, len:92, 10.0.17.92 -> 10.8.0.10, type:5 code:1 (redirect=10.0.0.253 orig: 10.0.17.92 -> 10.0.0.253))
Root Cause
A specific default static route of an adapter is being interpreted before any of the rules in the main routing table. This default route is intercepting, diverting, and then directing the packets towards the wrong IP address.
In other words, the rule that should have diverted the packets was never exercised. For more detailed information, run these commands from Kerio Control SSH console:
/sbin/ip rule/sbin/ip route list table all
Preconditions
Secure Shell (SSH) access to Kerio Control
Process
Follow these steps to resolve this issue:
- Log in to Kerio Control using Secure Shell (SSH).
- Navigate to the
/opt/kerio/winroutefolder using this command:cd /opt/kerio/winroute - Execute the following commands:
./tinydbclient "update Firewall set RequireIcmpFlowControl=0"
/etc/boxinit.d/60winroute restart
Note: The last command will restart the Kerio Control engine.
Confirmation
ICMP Flow direction parameter is successfully disabled in the configuration settings.
Priyanka Bhotika
Comments