| Description | This article describes how FortiGates manages ICMP Type 3 packets, not locally generated. |
| Scope | FortiGate. |
| Solution |
ICMP (Internet Control Message Protocol) is a protocol used by devices running IPv4, to transfer information regarding the network. For example, diagnostic and error reporting info.
Read more information about the protocols in the related RFC.
The most famous usage of ICMP is the ping, but there are a lot of applications using ICMP packets to exchange information between involved devices.
When a FortiGate receives an ICMP type 3 packet (in the RFC are indicated all types of ICMP packets), it does not look for the best route, but it routes the packet according to the inner information contained, which means that it uses the return path of the session having the ports indicated on the User Datagram Protocol field of the ICMP Type 3 packet.
Packet capture with Datagram Protocol field highlighted in blue:
Session details (with info related to the return path in bold):
session info: proto=17 proto_state=00 duration=89 expire=96 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3 origin-shaper= reply-shaper= per_ip_shaper= class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255 state=log may_dirty f00 f02 statistic(bytes/packets/allow_err): org=111/3/0 reply=0/0/0 tuples=2 tx speed(Bps/kbps): 1/0 rx speed(Bps/kbps): 0/0 orgin->sink: org pre->post, reply pre->post dev=4->4/4->4 gwy=10.174.15.42/10.174.15.42 hook=pre dir=org act=noop 10.144.7.147:45767->10.48.18.27:33439(0.0.0.0:0) hook=post dir=reply act=noop 10.48.18.27:33439->10.144.7.147:45767(0.0.0.0:0) misc=0 policy_id=1 pol_uuid_idx=15746 auth_info=0 chk_client_info=0 vd=0 serial=00002d7a tos=ff/ff app_list=0 app=0 url_cat=0 rpdb_link_id=00000000 ngfwid=n/a npu_state=0x000100 no_ofld_reason: npu-flag-off
An explanation of how to filter via the CLI and read the FortiGate sessions list is provided in Troubleshooting Tip: FortiGate session table information.
This mechanism is valid for ICMP type 3 packets, independently from the related code: for this reason, it is not a bug if an echo reply packet (type 11) and an ICMP (type 3) packet, received on the same interface of a FortiGate, are routed differently.
Making an example: upon executing a UDP traceroute (the default one), the intermediate routers will reply with a time to live expired packets (ICMP Type 11), while the router having the traceroute destination IP directly connected will reply with a port unreachable packet (ICMP Type 3).
A FortiGate in the middle can route 2 types of packets differently: the first according to the routing table and eventual routing policies, such as SD-WAN rules, and the last one with the mechanism explained above. |
