Denying ICMP type 3 code 4 traffic - good or bad?

networking firewall icmp cisco-asa

Try setting crypto ipsec df-bit clear-df outside. This won't fix the direct issue here, but may work around it.

As far as the immediate issue - it seems like the ASA isn't realizing that the ICMP packet needs to be used as Path MTU discovery for its tunnel. Check if there's anything in the PMTUD counters displayed by show crypto ipsec sa?


ICMP type 3 code 4 messages are "fragmentation needed but don't fragment set". This means your device sent a packet larger than the MTU of the device sending the ICMP message to you. Normally, the packet could be fragmented, but the DF bit was set. Since you're denying the inbound ICMP message, the ASA doesn't get notified that its packet wasn't delivered. Dropping these ICMP messages is generally bad for performance because it essentially results in packet loss.

Cisco's ASA configuration guide recommends always permitting ICMP type 3 messages, and it specifically mentions that problems can arise with IPsec if these messages are blocked. You can configure the ASA reporting this error to allow them with the following command:

icmp permit any unreachable outside

This only affects ICMP unreachables destined for the ASA itself. If you also need to permit them through the ASA to internal hosts, you'll need to do so with an access-list on your outside interface.

Related

Why do these emails from amazon SES keep getting marked as spam?
Can nginx start apache on demand?
NFS server is exporting the wrong directories
Modifying Active Directory Connection Objects
ICACLS IIS AppPool\DefaultAppPool = invalid parameter
How to map AD Domain Admins group to Ubuntu admins
Mongodb ubdate on Ubuntu 10.04 LTS
How to fix 'File name too long' error in apache2?
How To Deal With Frequent And Constant PHP/MySQL Version Updates
How to know which process was using a port after it enters TIME_WAIT state?
Automatic/scheduled check for open ports on list of servers
Nginx deferred bind