Packet Filtering for block ICMP Traffic

Question

Hi All,&nbsp;&nbsp;In my network design, it consists of 3 network segment which is VLAN_Internal, VLAN_ISP1, VLAN_ISP2. &nbsp;&nbsp;&nbsp;So i created 2 packet filter rules to block the ICMP from external network (VLAN_ISP1 &amp; VLAN_ISP2) and it works perfectly.&nbsp;&nbsp;&nbsp;However, when i ping from the internal segment (VLAN_Internal), i found that the ping packets is intermittent drops, but when i "disable" the packet filters features on F5, and the ping become smooth..&nbsp;&nbsp;&nbsp;Any idea wat will causes this problem?&nbsp;&nbsp;&nbsp;thanks..&nbsp;&nbsp;&nbsp;Best Regards,&nbsp;Ray&nbsp;

hooleylist · Answer

Hi Ray, 
&nbsp;  
&nbsp; I suggest capturing tcpdumps on LTM and opening a case with F5 Support on this.  For details, see SOL411 on AskF5.com: 
&nbsp;  
&nbsp; sol411: Overview of packet tracing with the tcpdump utility 
&nbsp; http://support.f5.com/kb/en-us/solutions/public/0000/400/sol411.html 
&nbsp;  
&nbsp; Aaron

yann_bruneau · Answer

Hello Ray,&nbsp;
I've got the same issue. It seems that the packet filter drops some ICMP reply coming back from the destination.&nbsp;
I've managed to make things work correctly by modifying the packet filter rule and adding the following condition :&nbsp;
and (icmp[0] = 8)&nbsp;
This will tell the filter to only drop icmp request from outside IP, the icmp reply will never be dropped.&nbsp;
Hope this will help&nbsp;
Yann&nbsp;

Forum Discussion

Packet Filtering for block ICMP Traffic

2 Replies

Recent Discussions

F5 VE in Azure - troubles with Sentinel integration

Need help on i-rule to specific uri path

Stable Firmware for F5

BigIP Next - Health Monitors / Template

LDAPS and renegotiation

Related Content

Decrypting BIG-IP Packet Captures without iRules

Decrypting BIG-IP Packet Captures Automatically

UDP TCP Packet Duplication

F5 packet buffer

fellow traffic