Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Kerio droping packets (ICMP Redirect?)
  •  
informator

Messages: 6
Karma: 0
Send a private message to this user
I have a problem in my company's network regarding transmission to another network.

First of all - kerio is our company's FW, dhcp server and a default gateway.

Our users are in the same subnet as Kerio and router that connects our network to another company's network (not controlled by us).
That other network is running SAP server (management application) which can be reached by us with no problem, when a host adds routers address as an additional static route entry.

I'm new to Kerio, so it took some time to figure that it works with no additional static entry, when i add a rule on Kerio that states:
- permit all traffic to desired server from my subnet (LAN) + source NAT (on LAN interface)

It started working, but sometimes application spills some errors (regarding connection problems) and it generally works slower.

I blame droping the ICMP redirects by Kerio, because apart from the fact that host at first has to send the packet to Kerio (def. gateway), it sends redirection and the transmission is as it was when there was a static routing entry. Am I correct?

I tried adding a QoS rule for ICMP redirects but with no luck.

What else can be wrong, or why is that and how can i fix it?

Thanks in advance!
  •  
Goran

Messages: 326
Karma: 5
Send a private message to this user
disable cache. and your problems should be solved. Cache is fixed by version 8.0 RC1

Question cannot be stupid, but some of the answers can.
  •  
informator

Messages: 6
Karma: 0
Send a private message to this user
unfortunately cache was already disabled, so it's not it:/
  •  
Goran

Messages: 326
Karma: 5
Send a private message to this user
change Network card maybe*

Question cannot be stupid, but some of the answers can.
  •  
informator

Messages: 6
Karma: 0
Send a private message to this user
Small update:
i've recently sniffed Kerio LAN port with wireshark (port mirroring on switch), and received input:

1.Host sends packet "A" to Kerio that is destined for SAP server,
2.Kerio sends ICMP redirect to host,
3.Kerio uses NAT and sends received packet "A" to SAP server,
4.Server sends few packets as a reply to a Kerio,
5.Kerio sends that packets to host.

Everything above is a normal nat operation, except the ICMP redirect part.

Why is Kerio sending ICMP redirect when it uses his own interface to continue the transmission?
I presume that it should work with ICMP redirect part with no NAT - Kerio should let host after sending it to continue the transmission for its own, but with no NAT - it doesn't work.

Maybe I can disable ICMP replies somehow?

I've discovered that almost every first packet NAT-ed by Kerio destined to SAP server has incorect framecheck sequence, maybe that's what slows the session?
Previous Topic: block Hotspot Shield
Next Topic: Intrusion Prevention And Antivirus Not updating
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Aug 20 11:48:46 CEST 2017

Total time taken to generate the page: 0.00404 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.