02-24-2024, 05:41 AM
I built this in GNS3. The ACL only prohibits TCP 179 and I was still getting this debug
ICMP: dst (10.255.255.1) administratively prohibited unreachable rcv from 10.0.12.2
I used wireshark and realized that i was getting a notification via ICMP that the TCP attempt was prohibited by R2. In short, the ACL blocks TCP 179, P2 uses ICMP to Notify PE1 of the prohibited TCP 179 traffic. Thus the ICMP Unreachable.
https://drive.google.com/file/d/1JdEY_gy...sp=sharing
PE1#
PE1#debug ip tcp trans
TCP special event debugging is on
PE1#debug ip icmp
ICMP packet debugging is on
PE1#clear ip bgp *
PE1#
PE1#
PE1#
*Feb 24 05:28:02.013: %BGP-3-NOTIFICATION_MANY: sent to 1 sessions 6/4 (Administrative Reset) for all peers
PE1#
*Feb 24 05:28:07.362: TCBF7660230 created
*Feb 24 05:28:07.362: TCBF7660230 setting property TCP_VRFTABLEID (20) F7656CC4
*Feb 24 05:28:07.362: TCBF7660230 setting property TCP_MD5KEY (4) 0
*Feb 24 05:28:07.362: TCBF7660230 setting property TCP_ACK_RATE (37) F784127C
*Feb 24 05:28:07.362: TCBF7660230 setting property TCP_TOS (11) F7841290
*Feb 24 05:28:07.362: TCBF7660230 setting property TCP_PMTU (45) F7841248
*Feb 24 05:28:07.362: TCBF7660230 setting property TCP_RTRANSTMO (36) F7841278
*Feb 24 05:28:07.362: tcp_uniqueport: using ephemeral max 65535
*Feb 24 05:28:07.362: TCP: Random local port generated 49575, network 1
*Feb 24 05:28:07.362: TCBF7660230 bound to 10.255.255.1.49575
*Feb 24 05:28:07.362: Reserved port 49575 in Transport Port Agent for TCP IP type 1
*Feb 24 05:28:07.362: TCBF7660230 getting property TCP_STRICT_ADDR_BIND (19)
*Feb 24 05:28:07.362: TCP: pmtu enabled,mss is now set to 1460
*Feb 24 05:28:07.362: TCP: sending SYN, seq 1784972807, ack 0
*Feb 24 05:28:07.362: TCP0: Connection to 10.255.255.3:179, advertising MSS 1460
*Feb 24 05:28:07.362: TCP0: state was CLOSED -> SYNSENT [49575 -> 10.255.255.3(179)]
*Feb 24 05:28:07.364: ICMP: dst (10.255.255.1) administratively prohibited unreachable rcv from 10.0.12.2
PE1#
*Feb 24 05:28:07.364: TCP0: ICMP destination unreachable received
*Feb 24 05:28:07.364: Released port 49575 in Transport Port Agent for TCP IP type 1 delay 240000
*Feb 24 05:28:07.364: TCP0: state was SYNSENT -> CLOSED [49575 -> 10.255.255.3(179)]
*Feb 24 05:28:07.364: TCB 0xF7660230 destroyed
PE1#und all
ICMP: dst (10.255.255.1) administratively prohibited unreachable rcv from 10.0.12.2
I used wireshark and realized that i was getting a notification via ICMP that the TCP attempt was prohibited by R2. In short, the ACL blocks TCP 179, P2 uses ICMP to Notify PE1 of the prohibited TCP 179 traffic. Thus the ICMP Unreachable.
https://drive.google.com/file/d/1JdEY_gy...sp=sharing
PE1#
PE1#debug ip tcp trans
TCP special event debugging is on
PE1#debug ip icmp
ICMP packet debugging is on
PE1#clear ip bgp *
PE1#
PE1#
PE1#
*Feb 24 05:28:02.013: %BGP-3-NOTIFICATION_MANY: sent to 1 sessions 6/4 (Administrative Reset) for all peers
PE1#
*Feb 24 05:28:07.362: TCBF7660230 created
*Feb 24 05:28:07.362: TCBF7660230 setting property TCP_VRFTABLEID (20) F7656CC4
*Feb 24 05:28:07.362: TCBF7660230 setting property TCP_MD5KEY (4) 0
*Feb 24 05:28:07.362: TCBF7660230 setting property TCP_ACK_RATE (37) F784127C
*Feb 24 05:28:07.362: TCBF7660230 setting property TCP_TOS (11) F7841290
*Feb 24 05:28:07.362: TCBF7660230 setting property TCP_PMTU (45) F7841248
*Feb 24 05:28:07.362: TCBF7660230 setting property TCP_RTRANSTMO (36) F7841278
*Feb 24 05:28:07.362: tcp_uniqueport: using ephemeral max 65535
*Feb 24 05:28:07.362: TCP: Random local port generated 49575, network 1
*Feb 24 05:28:07.362: TCBF7660230 bound to 10.255.255.1.49575
*Feb 24 05:28:07.362: Reserved port 49575 in Transport Port Agent for TCP IP type 1
*Feb 24 05:28:07.362: TCBF7660230 getting property TCP_STRICT_ADDR_BIND (19)
*Feb 24 05:28:07.362: TCP: pmtu enabled,mss is now set to 1460
*Feb 24 05:28:07.362: TCP: sending SYN, seq 1784972807, ack 0
*Feb 24 05:28:07.362: TCP0: Connection to 10.255.255.3:179, advertising MSS 1460
*Feb 24 05:28:07.362: TCP0: state was CLOSED -> SYNSENT [49575 -> 10.255.255.3(179)]
*Feb 24 05:28:07.364: ICMP: dst (10.255.255.1) administratively prohibited unreachable rcv from 10.0.12.2
PE1#
*Feb 24 05:28:07.364: TCP0: ICMP destination unreachable received
*Feb 24 05:28:07.364: Released port 49575 in Transport Port Agent for TCP IP type 1 delay 240000
*Feb 24 05:28:07.364: TCP0: state was SYNSENT -> CLOSED [49575 -> 10.255.255.3(179)]
*Feb 24 05:28:07.364: TCB 0xF7660230 destroyed
PE1#und all