HPE Community
Operating System - HP-UX
1846868 Members
2858 Online
110256 Solutions
New Discussion

ICMP turned off on network. systems croaked.

 
SOLVED
Go to solution
Paul Sperry
Honored Contributor

‎08-26-2003 02:00 PM

‎08-26-2003 02:00 PM

ICMP turned off on network. systems croaked.

Greeting everyone

We got hit by the blaster virus and in an attempt to cut down on network traffic the
network guys turned off ICMP. All of my
HP-UX 11.11 systems totally chocked.
I could not get to them from any other vlan
other than the one they were on. Also NFS
mounts hung even if on the same vlan. We have alpha servers "tru64 5.something" and they ran just fine. My question is, is ICMP required for HP-UX networking. And if not what would I
need to configure in its absence. Just in case this happens again.

TIA
and points to all
0 Kudos
Reply
12 REPLIES 12
Jeff Schussele
Honored Contributor

‎08-26-2003 03:12 PM

‎08-26-2003 03:12 PM

Solution

Re: ICMP turned off on network. systems croaked.

Hi Paul,

Yes it is in it's default config.
It uses pings (ICMP based of course) to detect dead gateways & since ICMP is disabled, the systems think they have no gateways - hence no traffic beyond their subnets. Choke...choke..hack..hack...uuuggghhh.

The dead-gateway detection is configured in /etc/rc.config.d/nddconf, I believe. Turn it off & it should keep on aroutin.

Cheers,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
Reply
Brian Bergstrand
Honored Contributor

‎08-26-2003 04:28 PM

‎08-26-2003 04:28 PM

Re: ICMP turned off on network. systems croaked.

Turning off all ICMP is just using a hammer to solve a problem that requires a bit more finesse.

TCP/IP expects certain ICMP messages to be available. In particular, ICMP echo (Ping), source-quench, dest. unreachable and ttl-exceeded should always be enabled for proper network operation. For your internal net you may want to enable others such as traceroute and/or router adv..

See http://www.iana.org/assignments/icmp-parameters for a description of ICMP ports.

See these for ICMP firewall guidelines.

http://www.faqs.org/faqs/computer-security/most-common-qs/section-18.html

http://www.cctec.com/maillists/nanog/historical/9804/msg00391.html

HTH.
Reply
Steven E. Protter
Exalted Contributor

‎08-26-2003 04:35 PM

‎08-26-2003 04:35 PM

Re: ICMP turned off on network. systems croaked.

Did the network guys warn you or just turn off icmp.

Lots of things can be broken by a shoot from the hip aproach to virus control. Better preparation and virus protection would have negated the need for such measures.

I recommend a few other wellness checks just to make sure all is well.

If your server has a DNS server, make sure that remote clients can still resolve DNS requests in this environment.

I imagine traceroute is dead too, but you should check it.

If your server has an httpd server, you will need to try and connect to it from outside your subnet and make sure it can tolerate the environment. I kept trying to turn off icmp on my firewalls for my web hosting business, and ultimately gave up, because DNS and httpd (it was probably dns) would not function under those conditions. I'm still working on a way to make it happen. You should not need to ping the server to do dns and httpd pages.

As Jeff noted, most everything else should be okay once ndd is reconfigured to work without icmp.

The following thread MAY provide you a procedure to implement Jeff's change.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Steven E. Protter
Exalted Contributor

‎08-26-2003 04:35 PM

‎08-26-2003 04:35 PM

Re: ICMP turned off on network. systems croaked.

Did the network guys warn you or just turn off icmp.

Lots of things can be broken by a shoot from the hip aproach to virus control. Better preparation and virus protection would have negated the need for such measures.

I recommend a few other wellness checks just to make sure all is well.

If your server has a DNS server, make sure that remote clients can still resolve DNS requests in this environment.

I imagine traceroute is dead too, but you should check it.

If your server has an httpd server, you will need to try and connect to it from outside your subnet and make sure it can tolerate the environment. I kept trying to turn off icmp on my firewalls for my web hosting business, and ultimately gave up, because DNS and httpd (it was probably dns) would not function under those conditions. I'm still working on a way to make it happen. You should not need to ping the server to do dns and httpd pages.

As Jeff noted, most everything else should be okay once ndd is reconfigured to work without icmp.

The following thread MAY provide you a procedure to implement Jeff's change.

http://search.hp.com/redirect.html?url=http%3A//forums.itrc.hp.com/cm/QuestionAnswer/1,,0x378984534efbd5118ff40090279cd0f9,00.html&qt=ndd+%2Bicmp+%2Boff&hit=7

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Giri Sekar.
Trusted Contributor

‎08-26-2003 05:29 PM

‎08-26-2003 05:29 PM

Re: ICMP turned off on network. systems croaked.

Hi:

Do these steps..


1. netstat -rn (pick up your gateway from the default column)

2. route delete default

3. netstat -rn (you should not see the gateway now)

4. ndd -set /dev/ip ip_ire_gw_probe 0

(this will make sure that your host will not ping the router (which it will do otherwise every 5 minutes))

now set the default gateway back as hop 1

5. route add default 1
(note the 1)

6. netstat -rn (you should be able to see the gateway again)

Now you should be able to reach the network.
To make these changes permanent edit the /etc/rc.config.d/nddconf file and replace the last three lines with the above parameters.

Thanks

Giri Sekar.
"USL" Unix as Second Language
Reply
Ron Kinner
Honored Contributor

‎08-27-2003 07:36 AM

‎08-27-2003 07:36 AM

Re: ICMP turned off on network. systems croaked.

See my post on the subject at:

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xc707dcbb82f5e14587a82ba5987e67d9,00.html

Source quench is a dinosaur so don't worry about it. Unless you have patched your system to fix the source quench bug just turn it off in ndd.

Ron
Reply
Massimo Bianchi
Honored Contributor

‎08-27-2003 07:44 AM

‎08-27-2003 07:44 AM

Re: ICMP turned off on network. systems croaked.

hi,
check answers in this thread, exact same problem:

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xdb8170647922904583e3df5373c394e4,00.html


Massimo
Reply
Paul Sperry
Honored Contributor

‎08-27-2003 08:31 AM

‎08-27-2003 08:31 AM

Re: ICMP turned off on network. systems croaked.

Thanks for all the great replies.

I didn???t find out there was a problem until
An end user tried to access one of the systems.
Fortunately the virus is gone and ICMP is back on.
Also the systems were for development and training.
However we are getting ready to move our production
Server from tru64 to hp-ux and as you all know
Production servers can never be down. Had we already
Made the switch I???d been scrambling. Now I at least
Know how to handle the situation and could reconfigure
Before the network changes take place.

Thanks again
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎08-27-2003 08:40 AM

‎08-27-2003 08:40 AM

Re: ICMP turned off on network. systems croaked.

No need to point this.

In summary, I think making this setup permanent is a good idea:

ndd -set /dev/ip ip_ire_gw_probe 0

Using ping to keep gateways alive is not a good idea.

I don't know how it happened, and am looking into it, but my 11.11 systems all came out with ip_ire_gw_probe 0.

I took no explicit action to do this.

I think it may have been Bastille, or some other patch. A search of the patch database yielded nothing.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎08-27-2003 08:44 AM

‎08-27-2003 08:44 AM

Re: ICMP turned off on network. systems croaked.

I have further reason to suspect Bastille in this case.

I just checked my educational D320 at home.

It has that feature set on.

Every relavent patch on my 11.11 systems at work is on that system. I've not been able to run Bastille in a satisfactory way and backed out the changes.

Again, just more info, no points necessary. I should have thought of this before my last post. Doh!

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Paul Sperry
Honored Contributor

‎08-27-2003 08:49 AM

‎08-27-2003 08:49 AM

Re: ICMP turned off on network. systems croaked.

All of my 11.11 had
ip_ire_pw_probe set to 1.

I went a head and changed them all to 0
and made it permament in the nddconf file
I don't see why you want to continually probe
the gateway either.

Sorry SEP your getting points.
0 Kudos
Reply
W.C. Epperson
Trusted Contributor

‎08-28-2003 04:34 AM

‎08-28-2003 04:34 AM

Re: ICMP turned off on network. systems croaked.

Also look at the ip_pmtu_strategy settings--we've seen route flapping with ip_pmtu_strategy=1 when ICMP gets turned off, resulting in packets getting sent incorrectly to the default route, which often has ingress filters and regards the packets as spoofed when it tries to loop them back out, and drops them. If the server is "Internet facing", ip_pmtu_strategy=2 is ok, if not, you probably don't need pmtu and can set it to 0.
"I have great faith in fools; self-confidence, my friends call it." --Poe
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.