To disable this function, run the following command:
undo firewall permit send icmp-errorreply
According to the network, the data of the gas station Vlan 30 arrives at the SRG20-20 through the IPSec VPN, and is connected to the Internet after NAT on the SRG20-20.
However, the traffic of such data packets comes in and goes out through the extranet interface to the Internet.
The SRG20-20 can audit the ingress and egress of the received data packet. If the ingress and egress are the same, the SRG20-20 assumes that route redundancy exists in the data packet, and sends the icmp-errorreply information to the source host, instructing the source host to modify the route entry.
By default, this function is enabled, and is hidden in the configuration.
Therefore, the enabling of this function conflicts with the network and requirements. The SRG20-20 continually sends icmp-errorreply packets to the source host, exhausting device resources. As icmp-errorreply packets accumulate, the IPSec VPN tunnel cannot be maintained due to insufficient resources, a large number of VPNs become disconnected.
|By default, many functions are enabled and hidden in the configuration. It is recommended that default enabled functions be displayed in the configuration and default disabled functions not be displayed in the configuration.|