Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Ping replies being dropped after 7.4.1 Upgrade (Kerio not allowing remote pinging)
  •  
bryancoley

Messages: 2
Karma: 0
Send a private message to this user
Hi there,
Since upgrading all 7 of my Kerio control's to version 7.4.1 Build 5051, I am getting Ping timeouts to all devices at remote offices, I only get a response if I RDP onto the box, I get a reply whilst connected via RDP and then a few minutes after disconnecting, I lose connection again.

After going through the debug logs, the request seems to be fine going to the remote client, but then this is dropped on the far end Kerio with the following - {pktdrop} packet dropped: Incorrect ICMP echo reply direction (from Bxxx PWAN, proto:ICMP, len:60, 126.4.0.4 -> 192.168.150.150, type:0 code:0)

I have separate ADSL routers at each site with their respective addresses ending in .7 - I am able to partially get around this by adding static routes to the Windows devices to use the local ADSL router as a gateway for traffic to the remote site. This only works for the Windows devices and will not work for the printers etc on my network.

This uses to work fine before upgrading my 7 Kerio boxes, so am not sure what else I can try. Does anyone have any ideas as apparently Kerio has tied down the security on ICMP traffic on their last update.

[Updated on: Thu, 27 December 2012 17:33]

  •  
paja

Messages: 9
Karma: 0
Send a private message to this user
did you find the solution for your problem? It looks I'm on the same boat, but I didnt ask for tech support yet.
  •  
mlee (Kerio)

Messages: 246
Karma: 16
Send a private message to this user
Hello,

Bryan contacted tech support and the issue was resolved.

Please turn on "Packet dropped for some reason" in the debug log and post anything unusual. If the issue is similar you should be able to see entries related to "3-way handshake".

Please post what you see thanks.

PTSD. BP. OCD. ASPD. BPD. Certified.
  •  
paja

Messages: 9
Karma: 0
Send a private message to this user
[22/Apr/2013 08:00:25] {pktdrop} packet dropped: Incorrect ICMP echo reply direction (from LAN 1 - local traffic, proto:ICMP, len:60, 192.168.1.26 -> 10.250.35.83, type:0 code:0)

It corresponds exactly what I tracked down via tcpdump. The "Echo request" is coming from source station via 192.168.1.10 to the target station 192.168.1.26, it replies via default route to Kerio GW 192.168.1.1, which has to route the packet back to 192.168.1.10, but due to the packet drop it never happens. This behaviour is valid just for ICMP traffic, TCP is working correctly. 3way handshake in winroute.cfg file is set to "0".
When I try to ping the remote station from 192.168.1.26, the routing local cache is updated and pings start to work temporary.
  •  
mlee (Kerio)

Messages: 246
Karma: 16
Send a private message to this user
Within the same table, would you like to check the value RequireIcmpFlowControl?

If it is 1, would you please change it to 0 and restart kerio Control.

Regards,
M.

PTSD. BP. OCD. ASPD. BPD. Certified.
  •  
paja

Messages: 9
Karma: 0
Send a private message to this user
I don't have this variable name inside my winroute.cfg file. Do u mean table Firewall? Should I add the variable?
  •  
mlee (Kerio)

Messages: 246
Karma: 16
Send a private message to this user
Mind if I ask which version of Kerio Control are you running? And Operating System?

PTSD. BP. OCD. ASPD. BPD. Certified.
  •  
paja

Messages: 9
Karma: 0
Send a private message to this user
Kerio Control 7.4.1 build 5051
Operating System Windows Server 2003
  •  
mlee (Kerio)

Messages: 246
Karma: 16
Send a private message to this user
If I remember correctly ICMP Flow Control was introduced in version 8, and this version unfortunately does not support native Windows installation.

PTSD. BP. OCD. ASPD. BPD. Certified.
  •  
rjokl

Messages: 64
Karma: 7
Send a private message to this user
7.4.2 have it too
  •  
paja

Messages: 9
Karma: 0
Send a private message to this user
Thx, I'll play with it after our business hours.
  •  
bryancoley

Messages: 2
Karma: 0
Send a private message to this user
Hi All,

Luckily there is a very easy fix for this. It took a whilst, but the option to disable the ICMP reply issue was only addressed in version 8.0.0

I have done this on 9 of my boxes and it is working fine.

1. Export the configuration of your Control(s)
2. Extract the zip file and edit the winroute.cfg file (I recommend to use Total Commander as it can update the file inside the tar.gz)
3. Locate following options by doing a text search for 'ICMP'
4. These options controls the packet flow through the Kerio Control. One is for TCP connections (3WayHanshake) and the other one is for ICMP (pings for example). Change value of the RequireIcmpFlowControl to 0 in order to disable it.
5. Save the changes and update the archive.
6. Import the configuration file back to your Control Appliance / Box
  •  
paja

Messages: 9
Karma: 0
Send a private message to this user
Yes, but version 8.x runs only on Linux based HW or VMs. Or did I miss something?
  •  
paja

Messages: 9
Karma: 0
Send a private message to this user
Problem solved. Upgrade to 7.4.2 (last version for native Windows env.) and RequireIcmpFlowControl set to "0" in winroute.cfg file
Thanks go to all helpers.
ajamali

Messages: 100
Karma: 1
Send a private message to this user
paja wrote on Wed, 24 April 2013 13:47
Problem solved. Upgrade to 7.4.2 (last version for native Windows env.) and RequireIcmpFlowControl set to "0" in winroute.cfg file
Thanks go to all helpers.


could you please describe your problem, I just want make sure if I have same issue before disable RequireIcmpFlowControl

BR,
Previous Topic: Kerio Control Problem With CISCO 7941G IP Phone
Next Topic: Howto selectively bypass ads filter
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon Oct 23 04:15:57 CEST 2017

Total time taken to generate the page: 0.00570 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.