"icmp-type 5 icmp-code 1 message_info ICMP packet out of state"

[Yardyy]

The problem that we are facing is that, we have moved a listserver from the internal network to the external net, this has a valid IP Address.
This is the server that I can ping from an external organisation, but we cannot from the internal network, which leads me to believe that it is our firewall that is at fault somewhere.

when we try to make a connection from the external server to the internal server, the connection is accepted, but the very next log says that the router is also sending data to the internal server, and that is being dropped, no rule number just a message int he info serction "icmp-type 5 icmp-code 1 message_info ICMP packet out of state" any one know why there is no rule number next to it.

when i try to ping the external server i get a "time out" message, on the logs it says from cisco to my computer dropped, in the info section there is this message again "icmp-type 5 icmp-code 1 message_info ICMP packet out of state"

Any help would be greatly appreciated.
Yardyy

 

[Piloria]

i and may others have had problems with NG FP2 using ping and traceroute through the firewall after the upgrade

 

[hicham]

Hi Yardyy,
The problem you are facing is a routing problem.
As in the CP guide:
"Enabling Accept ICMP does not enable ICMP Redirect. If you wish to enable ICMP Redirect, you must explicitly do so."

But there's a predefined ICMP service in FW-1 which
can be used to accept those packets,
You have to check why your FW-NG thinks it knows a better route than your host and then maybe you want to modify the routing table of your host to eliminate the need for your FW to send out ICMP packets.
Hicham Tfaily