Hello.
we have a Nagios Server 172.20.11.158 who need to ping/check 172.16.181.59. When I debug the traffic, we can see that the traffic is allowed by policy-63 and a route is found via "INTERCO_OLD_DC". I never seen the trafic after routing on the remote firewall but in the local firewall, I see the following error message :
func=__icmp_send line=549 msg="Exceeded ICMP rate limit(type=3 code=1 limit=1s), drop"Is there a rate limite by default on global system ? Below my trace.
2018-09-07 09:30:59 id=20085 trace_id=36226 func=print_pkt_detail line=5311 msg="vd-C1_INFRA received a packet(proto=1, 172.20.11.158:12530->172.16.181.59:2048) from C1_SERVER. type=8, code=0, id=12530, seq=1."
2018-09-07 09:30:59 id=20085 trace_id=36226 func=init_ip_session_common line=5470 msg="allocate a new session-29a8ae66"
2018-09-07 09:30:59 id=20085 trace_id=36226 func=vf_ip_route_input_common line=2576 msg="find a route: flag=04000000 gw-172.16.181.59 via INTERCO_OLD_DC"
2018-09-07 09:30:59 id=20085 trace_id=36226 func=fw_forward_handler line=743 msg="Allowed by Policy-63:"
2018-09-07 09:31:00 id=20085 trace_id=36225 func=__icmp_send line=549 msg="Exceeded ICMP rate limit(type=3 code=1 limit=1s), drop"
After contacting Fortigate support, the conclusion is that it is a excepted behavior. Below the answer of the support.
This is an expected behavior: The package is dropped since the ICMP is exceeding the rate limit. The FortiGate team has a limitation for ICMP; the limit is 6 packets per second per sender. This is based on RFC 1812: 4.3.2.8 Rate Limiting A router which sends ICMP Source Quench messages MUST be able to limit the rate at which the messages can be generated. A router SHOULD also be able to limit the rate at which it sends other sorts of ICMP error messages (Destination Unreachable, Redirect, Time Exceeded, Parameter Problem). The rate limit parameters SHOULD be settable as part of the configuration of the router. How the limits are applied (e.g., per router or per interface) is left to the implementor's discretion.
The limit of 6 ICMP packets per second and per sender seem very low...
What is strange is that before this problem, my nagios server was behind a 1500D and all worked correctly. Now we moved it behind a VDOM in a 500E and I have this error only for specific destination.
Thank you for your help.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello. I found a workaround for this problem. I created a DoS Policy for my nagios server for allowing ICMP traffic with higher limit... I am not sure that is the best solution but it seems working for me.
Hi @fl0at0xff would you please be able to share more detail with this DoS policy which you have implemented like configuration.
I am experiencing ICMP loss for my monitoring system to fortigate firewall so just want to figure out if this is ISP issue or fortigate ICMP rate limit coming into picture.
TIA,
Nilesh Kahar.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1734 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.