Attack Protection disables the ICMP packets on Eudemon 500

Publication Date:  2013-08-26 Views:  339 Downloads:  0
Issue Description
The Eudemon 500 and the S8505 deliver the voice service, and the simplified networking topology is as follows:
E500(GE 1/0/0)------------S8505(GE 2/0/0)
A client connected to the Eudemon 500 claims that the quality of the voice service is bad. 
Alarm Information
N/A
Handling Process
1. Use another client PC and test the quality of the voice service. The symptom still exists.
2. Check the Layer 2 link. No problem is found.
3. Ping the Eudemon 500 from the client PC. Packet loss does not occur. Ping the server (S8505) from the Eudemon 500 by using the IP address of the client PC. Packet loss occurs.
4. Ping the IP address of the direct connect interface on the S8505 from the Eudemon 500. Packet loss occurs. Check the interfaces of the Eudemon 500 and the S8505. The interfaces run normally. Capture mirrored packets on the S8505. No packet arrives at the S8505.
5. Change the optical modules and optical fibers. The symptom still exists. Use a switch to connect the Eudemon 500 with the S8505 and capture packets on the switch. The result shows that the Eudemon 500 does not send packets. Check the configurations of the Eudemon 500. The firewall is enabled with attack protection by default. Run the undo firewall defend all en command on the firewall and then test the voice service. Packet loss does not occur.
6. Run the firewall defend icmp-flood en command to enable the ICMP flood attack protection function, and then test the voice service. Packet loss occurs again. View the system information to locate the cause. After this function is enabled, 1000 packets are sent to the IP address of the direct connect interface at the peer end by using the ping command. The packets will be regularly discarded by the firewall because the firewall regards these packets as an ICMP attack. Related information is as follows:
Eudemon500_A SEC/5/ATCKDF:AttckType:ICMP flood attack; Receive Interface: InLoopBack0 ; from 172.16.162.242 ; to 172.16.162.241 ; begin time :2013/8/2 17:12:46; end time: 2013/8/2 17:13:12; total packets: 4;
Disable this function. Packet loss stops.
 
Root Cause
1. Client PC problem.
2. Layer 2 link problem.
3. Protocol or interface problem on the S8505.
4. Firewall problem. 
Suggestions
By default, the attack protection including ICMP flood attack protection is enabled on the Eudemon 500. When a large number of packets are sent by using the ping command, some of them will be regarded as ICMP flood and be discarded. You are recommended to disable the ICMP flood attack protection before performing a ping test using a large number of packets. 

END