Overview
This article shares the process of resolving the following error that shows in the debug logs when the 'Packets dropped for some reason' option is enabled under Filtering:
[14/Oct/2019 15:27:24] {pktdrop} packet dropped: Incorrect ICMP echo reply direction (from LAN, proto:ICMP, len:92, 192.168.0.4 -> 10.8.0.10, type:0 code:0 id:1 seq:117 ttl:128)
The debug logs may also show the following error:
[14/Oct/2019 15:25:24] {pktdrop} packet dropped: false ICMP redirect (to LAN, proto:ICMP, len:92, 10.0.17.92 -> 10.8.0.10, type:5 code:1 (redirect=10.0.0.253 orig: 10.0.17.92 -> 10.0.0.253))
Root Cause
In other words, the rule that should have diverted the packets was never exercised. For more detailed information, run these commands from Kerio Control SSH console:
/sbin/ip rule
/sbin/ip route list table all
Preconditions
Secure Shell (SSH) access to Kerio Control
Process
Follow these steps to resolve this issue:
- Log in to Kerio Control using Secure Shell (SSH).
- Navigate to the
/opt/kerio/winroute
folder using this command:cd /opt/kerio/winroute
- Execute the following commands:
./tinydbclient "update Firewall set RequireIcmpFlowControl=0"
/etc/boxinit.d/60winroute restart
Note: The last command will restart the Kerio Control engine.
Confirmation
ICMP Flow direction parameter is successfully disabled in the configuration settings.