Re: (ASCEND) Strange Syslog Message

[Phillip Vandry <vandry@Mlink.NET>]

> I keep seeing message similar to the following being logged from my
> Ascend to syslog:
> 
> 
> Mar  2 09:35:10 ??? ASCEND: wan3 3/3/icmp 207.18.147.201 <- 207.18.144.2
> 112 !pass (reject)
> Mar  2 09:35:12 ??? ASCEND: wan2 3/3/icmp 207.18.147.201 <- 207.18.144.2
> 112 !pass (reject)
> Mar  2 09:35:13 ??? ASCEND: wan3 3/3/icmp 207.18.147.201 <- 207.18.144.2
> 112 !pass (reject)
> Mar  2 09:35:15 ??? ASCEND: wan2 3/3/icmp 207.18.147.201 <- 207.18.144.2
> 112 !pass (reject)
> Mar  2 09:35:16 ??? ASCEND: wan3 3/3/icmp 207.18.147.201 <- 207.18.144.2
> 112 !pass (reject)
> Mar  2 09:35:18 ??? ASCEND: wan2 3/3/icmp 207.18.147.201 <- 207.18.144.2
> 112 !pass (reject)
> Mar  2 09:35:19 ??? ASCEND: wan3 3/3/icmp 207.18.147.201 <- 207.18.144.2
> 112 !pass (reject)
> Mar  2 09:35:21 ??? ASCEND: wan2 3/3/icmp 207.18.147.201 <- 207.18.144.2
> 112 !pass (reject)

Your firewall has rejected these ICMP packets from 207.18.144.2 to
207.18.147.201. Those 3's probably refer to the ICMP type and subtype,
so that would make them ICMP Port Unreachable notifications.

They appear in syslog because you have configured this particular
rejection entry in the firewall to log packets.

You should probably configure your firewall to let ICMP unreachable
messages through, as they are legitimate, useful packets that let a
host know that it has attempted to contact something which doesn't
exist (a host, net, protocol, or port). Thus the client can give up
right away instead of having to wait (and wait and wait) and timeout.
(This makes users happier!) In addition, denying ICMP unreachable
packets breaks PATH MTU discovery.

-Phil
++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>