F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

JAIME_QUIROGA_1's avatar
JAIME_QUIROGA_1
Icon for Nimbostratus rankNimbostratus
Jan 26, 2016

Limiting icmp unreach

Hello I need to know why I see in the Gues Active logs as "Limiting icmp unreach response from 251 to 250 packets/sec" . I know that I could modify the tm.maxrejectrate as a it's written in SOL13151...
icmp
LTM
security
TMSH
BinaryCanary_19's avatar
BinaryCanary_19
Historic F5 Account
Jan 27, 2016

Basically, whenever the box gets a connection attempt to a port which it is configured to reject, or which it is not configured to listen on (UDP traffic), it generates an ICMP response. In some cases, it can also generate ICMP unreachable to indicate "no route to destination".

So It means that because the system is needing to generate too many ICMP unreach messages, it has decided to reduce the rate at which it is sending the packets in order to avoid making itself be a reflection source for generating traffic in a ddos attack.

If you get this happening frequently, it could be a sign that you have misconfigured your routing in your environment and some devices are attempting to use the BigIP for a network service it is not configured to provide. If it is happening associated to other events (such as failover), it could be that the upstream switch takes a while to update it's mac addresses, and traffic temporarily goes to the wrong device before correcting itself. To investigate, you could take a tcpdump:

tcpdump -i 0.0 -C 2 /var/tmp/2meg-sample.pcap

That should capture a 2MiB sample of traffic and save into /var/tmp/2meg-sample.pcap which you can review to see the source of the bad traffic and target of the icmp responses.

You can adjust the file size (-C argument) according to your needs.