NimbostratusHello I need to know why I see in the Gues Active logs as "Limiting icmp unreach response from 251 to 250 packets/sec" . I know that I could modify the tm.maxrejectrate as a it's written in SOL13151, but I hope to capture a traffic for look a IP that generation this traffic.
Basically, whenever the box gets a connection attempt to a port which it is configured to reject, or which it is not configured to listen on (UDP traffic), it generates an ICMP response. In some cases, it can also generate ICMP unreachable to indicate "no route to destination".
So It means that because the system is needing to generate too many ICMP unreach messages, it has decided to reduce the rate at which it is sending the packets in order to avoid making itself be a reflection source for generating traffic in a ddos attack.
If you get this happening frequently, it could be a sign that you have misconfigured your routing in your environment and some devices are attempting to use the BigIP for a network service it is not configured to provide. If it is happening associated to other events (such as failover), it could be that the upstream switch takes a while to update it's mac addresses, and traffic temporarily goes to the wrong device before correcting itself. To investigate, you could take a tcpdump:
tcpdump -i 0.0 -C 2 /var/tmp/2meg-sample.pcapThat should capture a 2MiB sample of traffic and save into /var/tmp/2meg-sample.pcap which you can review to see the source of the bad traffic and target of the icmp responses.
You can adjust the file size (-C argument) according to your needs.