Forum Discussion
Limiting icmp unreach
Basically, whenever the box gets a connection attempt to a port which it is configured to reject, or which it is not configured to listen on (UDP traffic), it generates an ICMP response. In some cases, it can also generate ICMP unreachable to indicate "no route to destination".
So It means that because the system is needing to generate too many ICMP unreach messages, it has decided to reduce the rate at which it is sending the packets in order to avoid making itself be a reflection source for generating traffic in a ddos attack.
If you get this happening frequently, it could be a sign that you have misconfigured your routing in your environment and some devices are attempting to use the BigIP for a network service it is not configured to provide. If it is happening associated to other events (such as failover), it could be that the upstream switch takes a while to update it's mac addresses, and traffic temporarily goes to the wrong device before correcting itself. To investigate, you could take a tcpdump:
tcpdump -i 0.0 -C 2 /var/tmp/2meg-sample.pcap
That should capture a 2MiB sample of traffic and save into /var/tmp/2meg-sample.pcap which you can review to see the source of the bad traffic and target of the icmp responses.
You can adjust the file size (-C argument) according to your needs.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com