ICMP Type 3 (Destination Unreachable) packets do not match DFW Rules configured with ICMP services
search cancel

ICMP Type 3 (Destination Unreachable) packets do not match DFW Rules configured with ICMP services

book

Article ID: 427142

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

  • A DFW rule is configured to allow or block ICMP traffic using ICMP services.
  • ICMP Type 3 (Destination Unreachable) packets do not match the rule.
  • Other ICMP types, such as Echo Request and Echo Reply, match the rule as expected.

Environment

VMware NSX - All Versions

Cause

  • This behavior is expected and working as designed.
  • ICMP Type 3 (Destination Unreachable) packets are handled differently by the Distributed Firewall. Instead of evaluating the outer ICMP header for rule matching, DFW inspects the ICMP payload. The payload contains the original IP packet that triggered the ICMP response.
  • DFW uses the Layer 3 and Layer 4 information of the original packet embedded in the ICMP payload, including source IP, destination IP, and ports, to determine rule matching.

Resolution

  • No action is required, as this is expected behavior.
  • If ICMP Type 3 packets must be explicitly allowed or blocked, configure the DFW rule using the source and destination IP addresses and ports of the original traffic that triggers the ICMP Destination Unreachable message, rather than using the ICMP service.

Additional Information

Related KB: DFW Logs show ICMP Type 3 packets aligned with a firewall flow that is only configured for TCP/UDP

Powered by Wolken Software