|
POP replies ICMP type 3 code 13 (Communication admistratively filtered)
![[be]](/s/countries/be.gif) Shadow Hawkins on Monday, 25 June 2012 23:13:26
Hi
Need some help with setting up my tunnel on a ScreenOS Juniper firewall.
I got a tunnel working on a FortiGate firewall with a fixed IP address (T96374).
I got a second tunnel set up on a Juniper firewall (T98386) with a dynamic public IP address. So I configured an AYIYA type tunnel and installed the AICCU client on a Windows system to update my public IP address with the POP. Mu tunnel information page is showing the tunnel is up and showing small stats.
When sending data through, I get ICMP type 3 code 13 replies back. First IPv6 SYN is getting IPv4 encapsulated and sent to the POP IPv4 address, but the POP replies with the ICMP Communication Administatively filtered message.
This does not only happen to traffic from my client system through the tunnel, but also when I try to ping the tunnel IPv6 endpoint IP from my Juniper firewall itself.
I'm unable to reach any IPv6 address through this tunnel.
Anything wrong configuration wise or is this an issue with my provider or with the POP?
Cheers,
Christophe
POP replies ICMP type 3 code 13 (Communication admistratively filtered)
I got a second tunnel set up on a Juniper firewall (T98386) with a dynamic public IP address. So I configured an AYIYA type tunnel and installed the AICCU client on a Windows system to update my public IP address with the POP.
T98386 is thus AYIYA.
Mu tunnel information page is showing the tunnel is up and showing small stats. When sending data through, I get ICMP type 3 code 13 replies back.
What is your source address and what device is sending it? (This as I am reading that you are actually trying to terminate the tunnel on the Juniper which afaik only supports Proto-41 and thus that is not AYIYA).
First IPv6 SYN is getting IPv4 encapsulated and sent to the POP IPv4 address, but the POP replies with the ICMP Communication Administatively filtered message.
A packet dump of this would be very useful to state exactly which host is sending that and why.
This does not only happen to traffic from my client system through the tunnel, but also when I try to ping the tunnel IPv6 endpoint IP from my Juniper firewall itself.
Which address tries to contact to which and which one replies back? Output would be useful ;)
Anything wrong configuration wise or is this an issue with my provider or with the POP?
Likely with your config. Please provide more details and outputs.
Also note that sixxsd can send some extra ICMP codes depending on the down state of the tunnel as stated in the FAQ.
You are getting type 13 though which indicates you are using a source address that should not be used.
A packet capture would explain it better though as then we can see (use "-s 0" as a param) what the packet is that the error was about.
POP replies ICMP type 3 code 13 (Communication admistratively filtered)
Shadow Hawkins on Tuesday, 26 June 2012 21:06:51
Hi Jeroen
This as I am reading that you are actually trying to terminate the tunnel on the Juniper which afaik only supports Proto-41
Indeed, it looks like my Juniper firewall is not decapsulating the udp/5072 packets. I was not aware AYIYA was not supported on Juniper, thanks for pointing that out.
I was hoping I could use AYIYA in order to put my Juniper firewall behind a NAT device. I guess I'll have to change the tunnel type to heartbeat.
I'm only starting to discover IPv6, I guess that's going to include some trial and error :).
Cheers,
Christophe
POP replies ICMP type 3 code 13 (Communication admistratively filtered)
Shadow Hawkins on Tuesday, 03 July 2012 20:20:00
Looks like changing the tunnel type to heartbeat fixed my issue.
POP replies ICMP type 3 code 13 (Communication admistratively filtered)
Makes sense as Junipers tend to support (there are some hardware/software limitations in some combinations of hw/sw) proto-41 tunnels.
|
![[ch]](/s/countries/ch.gif)
on Monday, 25 June 2012 23:56:13
Posting is only allowed when you are