Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Getting ICMP 3/13 (Communication administratively filtered) packets from VM Hub

Options
  • 29-03-2022 9:40pm
    #1
    cormacl
    Registered Users Posts: 360 ✭✭


    Hi Folks,

    for about a year or more now, I see ICMP packets being returned every so often from my virgin media hub 2.0 (white one). From the experience of using the broadband, it takes the form of instant connection failures to a website and a few refreshes later it might be fine.

    On closer inspection with tcpdump/wireshark, I found that when it happens, my computers/devices would issue a SYN packet to some host as part of a typical web connection request and get an instant ICMP sent to my computer from 192.0.0.1 (VM hub LAN IP) with type 3 (Destination unreachable), code 13 (Communication administratively filtered). It might work fine a few seconds later.

    I have tried lots of combinations of settings on the VM Hub advanced firewall section to disable IP flood detection and even as far as disabling the firewall entirely. But no matter what settings I use the issue persists. I've also done a factory reset to no avail in terms of trying to correct the issue.

    My setup is a gigabit LAN cabled to Google Nest Wifi routers which in turn are WAN cabled to the VM hub LAN ports. Native WiFi on the VM hub is turned off. Typical bring your own wifi router setup on VM.

    I have also cabled my laptop directly to the VM hub to test this in isolation from the Nest routers and I can reproduce it that way too. So it does not seem related to the Nest routers. In terms of speed etc, the service works very well most of the time. This ICMP issue just blips here and there. A refresh later and you've got the site you requested.

    But today I was doing some work-related CDN (AWS Cloudfront) latency and etag testing with 10,000 GET requests across about 300 small image URLs. I would see as many as 7000 requests fail with out of the 10k requests with this ICMP scenario. Those requests were for small images < 200Kb each and at no more than 10 GETs concurrently. I was convinced it might be the router seeing this as some form of outbound IP flood but all that config is turned off.

    I'm going to contact VM support in cased this is a hardware fault etc but I was just curious if any others have observed this kind of scenario on Virgin Media.



    An example of the type of packet I see.. (ethernet frames not shown)

    VM Hub: 192.0.0.1

    Nest LAN: 192.168.12.x and my PC is 192.168.12.2.

    The preceding packet was a SYN to an AWS CDN IP 13.224.69.97 and this ICMP was returned by the router immediately.


    Internet Protocol Version 4, Src: 192.0.0.1, Dst: 192.168.12.2

      0100 .... = Version: 4

      .... 0101 = Header Length: 20 bytes (5)

      Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)

      Total Length: 56

      Identification: 0x0000 (0)

      Flags: 0x00

      Fragment Offset: 0

      Time to Live: 253

      Protocol: ICMP (1)

      Header Checksum: 0x3119 [validation disabled]

      [Header checksum status: Unverified]

      Source Address: 192.0.0.1

      Destination Address: 192.168.12.2

    Internet Control Message Protocol

      Type: 3 (Destination unreachable)

      Code: 13 (Communication administratively filtered)

      Checksum: 0xc505 [correct]

      [Checksum Status: Good]

      Unused: 00000000

      Internet Protocol Version 4, Src: 192.168.12.2, Dst: 13.224.69.97

        0100 .... = Version: 4

        .... 0101 = Header Length: 20 bytes (5)

        Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)

        Total Length: 64

        Identification: 0x0000 (0)

        Flags: 0x40, Don't fragment

        Fragment Offset: 0

        Time to Live: 62

        Protocol: TCP (6)

        Header Checksum: 0x1ccd [validation disabled]

        [Header checksum status: Unverified]

        Source Address: 192.168.12.2

        Destination Address: 13.224.69.97

      Transmission Control Protocol, Src Port: 59136, Dst Port: 443

        Source Port: 59136

        Destination Port: 443

        Sequence Number: 2879103893



Comments

  • Options
    #2
    smuggler.ie
    Registered Users Posts: 4,140 ✭✭✭smuggler.ie


    What exactly were you doing? 😊

     NOTE: [INTRO:2] defined Code 8 for source host isolated.  Routers
   SHOULD NOT generate Code 8; whichever of Codes 0 (Network
   Unreachable) and 1 (Host Unreachable) is appropriate SHOULD be used
   instead.  [INTRO:2] also defined Code 9 for communication with
   destination network administratively prohibited and Code 10 for
   communication with destination host administratively prohibited.
   These codes were intended for use by end-to-end encryption devices
   used by U.S military agencies.  Routers SHOULD use the newly defined
   Code 13 (Communication Administratively Prohibited) if they
   administratively filter packets.

    https://www.rfc-editor.org/rfc/rfc1812

    history of boards 2021




  • Options
    #3
    cormacl
    Registered Users Posts: 360 ✭✭cormacl


    Update on this. Google support took logs and stats from the Nest router and came back advising I try to switch to modem mode with the VM hub.

    Got that sorted today via a call to VM support and it's been perfect since. When I tried my stress tests, no ICMP packets were encountered.



Advertisement