How to avoid ICMP "Destination Protocol Unreachable" with ERSPAN to WIndows 10

ERSPAN
retag add tags

Greetings,
I'm attempting to run an ERSPAN capture from a Cisco 3850 (origin IP on subnet "A") to a Windows 10 workstation (running WS 3.2.5 on subnet "B", separate 3850 switch) through a Cisco NX7004 core. Packets are received properly from the origin switch when the tunnel is first established, but each is answered by the workstation with an ICMP Destination Protocol Unreachable (ICMP type 3, code 2). After about 7 seconds of this, the core switch* stops forwarding / routing the tunnel. Use of the "protocol 0x2f" capture filter has no effect, as the ICMP packets appear to be originating from either the OS or the NIC driver.
Any thoughts on how one might disable the ICMP response?

*Presumably the core. Running the ERSPAN where the source and destination devices are connected to the same switch does not result in a blocked stream (the ICMP packets are still present, just not acted upon).

LoupQui

asked 2020-08-03 15:12:16 +0000

edit flag offensive 0 remove flag close merge delete

Comments

Are you de-encapsulating the packets on the subnet "B" switch or sending to the PC IP address?
ERSPAN – My New Favorite Packet Capturing Trick

Chuckc (2020-08-03 15:43:31 +0000) edit

Sending to the destination PC IP as per the link you reference.

LoupQui (2020-08-03 15:45:40 +0000) edit

Is there a rule in Windows firewall to allow the GRE packets in?

Chuckc (2020-08-03 16:12:05 +0000) edit

All firewalls are completely disabled, yet the behavior persists.
Thank you all for the assistance. I'm chocking this one up to "Sorry, not with Windows you don't!"

LoupQui (2020-08-03 20:17:38 +0000) edit

add a comment see more comments

1 Answer

Sort by

oldest

newest

most voted

Have you unbound all protocols from the workstation NIC to make it passive?

See a blog post from @Jasper here.

23.8k

grahamb

answered 2020-08-03 15:20:07 +0000, updated 2020-08-05 14:09:20 +0000

edit flag offensive 0 remove flag delete link

Comments

All protocols except for the npcap driver and IPv4 are disabled / unbound. I presume this interface must have an IP in order to receive the ERSPAN tunnel.
Reading through that post now...

LoupQui (2020-08-03 15:39:17 +0000) edit

Getting outside my knowledge boundaries here, but are you terminating the ERSPAN tunnel on the PC or the core switch? Another blog post here describes sending the ERSPAN traffic directly to the PC where Wireshark can unwrap it. I have no idea if you need IPv4 bound in this case.

Worst case you can empirically test unbinding the IPv4 entry and see what happens.

grahamb (2020-08-03 15:48:04 +0000) edit

Thank you for the suggestion. Unbinding was worth a go, but didn't work.
Big thanks for the @Jasper post(s)! That should be required reading for all packet enthusiasts :-).

LoupQui (2020-08-03 20:16:19 +0000) edit

You're welcome! This is a curious issue, unbinding everything except the npcap binding should mute the NIC completely. I've never seen one still reacting to anything if I did that...

Jasper (2020-08-05 13:43:55 +0000) edit

A bit late to the party, but I think @LoupQui meant that unbinding IP from the interface broke the ERSPAN reception, as there was no IP anymore to send it to.

I'm currently deploying a setup like this at a customer and was looking for a way to silence the ICMP protocol unreachable messages too :-)

SYN-bit (2023-05-01 07:25:58 +0000) edit

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer

How to avoid ICMP "Destination Protocol Unreachable" with ERSPAN to WIndows 10 edit

Comments

1 Answer

Comments