Ping: Destination Port Unreachable
3 PC's connected to Internet thru Linksys Cable Router/Switch. Static LAN IP's. (Some port forwarding being run) Used to be able to run a small application that ftp'ed out to a host server & transferred image data. Suddenly, one day, it stopped. The application tells me "Network Disconnected," which doesn't tell me much, only that that's what the programmer decided to use as an error message for God knows what problem. I open a dos prompt and ping the server, and get four tidy replies from the translated IP ending with "Destination Port Unreachable." -Same result from any of my local machines. One must have a 'user account' at this particular server/service, and I do have one. I can log in from their web front-end and manage my account. I even created a brand new account & tried the new account with the applet -same problem. I believe it's network. I have spoken with other users of the service and they are able to ping the server, and their transfer application works fine.
I am prepared to e-mail them for support, but, like I said, I believe it's a networking issue. I looked up my error, and you folks came up as a search result. I like what I see here. I wonder if I started suffering from an MTU issue. -But why, all of a sudden? I know for a fact that the server handles the image data transfers on ports 8570 & 8571, as opposed to the typical 20/21. But my system always handled it, and nothing has changed in my config. I also wondered if my 3-com sharkfin Cable modem could be the culprit.
If anyone has anything to offer, I appreciate it. I am going to e-mail them tonight, and if I hear a solution, I'll post it here.
PS, I can't determine if this is an easy or hard question. It's hard as hell for me, but for one of y'all, it may be quite simple. I'm choosing 50 because I'm new and only have 75 points.
JW
I am prepared to e-mail them for support, but, like I said, I believe it's a networking issue. I looked up my error, and you folks came up as a search result. I like what I see here. I wonder if I started suffering from an MTU issue. -But why, all of a sudden? I know for a fact that the server handles the image data transfers on ports 8570 & 8571, as opposed to the typical 20/21. But my system always handled it, and nothing has changed in my config. I also wondered if my 3-com sharkfin Cable modem could be the culprit.
If anyone has anything to offer, I appreciate it. I am going to e-mail them tonight, and if I hear a solution, I'll post it here.
PS, I can't determine if this is an easy or hard question. It's hard as hell for me, but for one of y'all, it may be quite simple. I'm choosing 50 because I'm new and only have 75 points.
JW
ASKER
Firmware is 1.44.2. I went through everything on the router. Stripped it down completely. Still no go. So I disconnected everything and hooked the Cable modem up directly to a box on my LAN, set the TCP stack on that box to get an IP from DHCP (modem). Booted everything up, and the program works. Thinking maybe I was given a new IP and that was the problem, I reconnected everything back through the router. Booted back up, no go. I think it's pretty clear the problem may not necessarily be a malfunction in the router, but, a change in the way the router routes traffic. I would enjoy getting my hands on the older firmware. grrr. I don't understand this port triggering. I'll read up on it. By the way, a tracert comes back at the 10th hop (which, incidentally, is the target server) with "Destination Protocol Unreachable" - a different animal altogether than Dest. PORT Unreachable.
"ICMP port unreachable" messages here indicate something very fishy (or broken).
An "ICMP port unreachable" message should only be received if you are attempting to access an unavailable TCP or UDP service, not in response to an ICMP echo request (unless I missed the fine print in an RFC somewhere).
To me this would indicate a misconfigured security subsystem somewhere in the mix (likely on the server [or it's firewall] you are trying to contact) - can you confirm or deny that you have been explicitly blocked by the remote side?
Can you run a sniffer to determine exactly what host is sending you those ICMP port unreachable messages?
I take it you can ping everyone else (ie yahoo.com), just not the server in question?
Cheers,
-Jon
An "ICMP port unreachable" message should only be received if you are attempting to access an unavailable TCP or UDP service, not in response to an ICMP echo request (unless I missed the fine print in an RFC somewhere).
To me this would indicate a misconfigured security subsystem somewhere in the mix (likely on the server [or it's firewall] you are trying to contact) - can you confirm or deny that you have been explicitly blocked by the remote side?
Can you run a sniffer to determine exactly what host is sending you those ICMP port unreachable messages?
I take it you can ping everyone else (ie yahoo.com), just not the server in question?
Cheers,
-Jon
BTW, what OS's are present on each end (and any firewall OS's in between would be handy to know as well)?
Cheers,
-Jon
Cheers,
-Jon
ASKER
Whoa... Slow down! This technology crap gives me a... well, I like it... Yeah, I was thinking maybe at their (target server) firewall, they were somehow blocking ping or ICMP. -IF that's doable. I was getting a response back, though, so I guess not. I haven't run a sniffer yet, but, as I understood it, this app ftp's over ports 8570~8571. I was thinking (probably incorrectly, as I am nowhere near as skilled as you Cap), somehow that LinkSys router firmware upgrade miffed the translation process for ports, maybe taking those port 8570~71 packets coming out of the app and translating 'em back to 21. -Except for the whole Dest. Prt Unreach. on a simple ping to the server. Whichever the case, I went ahead & waited out the phone hold music on Linksys' support line last night, and they are sending me an older, known-to-work firmware version (v1.42.7). I'll kepp you posted.
Gents, I don't know if you've helped to the point of actually getting me back running again, so I don't know how to address this points thing, but I will say this, I absolutely do appreciate the time you've given my issue.
JW
Gents, I don't know if you've helped to the point of actually getting me back running again, so I don't know how to address this points thing, but I will say this, I absolutely do appreciate the time you've given my issue.
JW
ASKER
Oh, and BTW, W2K Pro on the client, I have no idea what the server OS is. And FYI lrmoore (1st responder), Linksys tech support walked me thru a myriad of fix attempts including port triggering.
At least you got ahold of them. I've tried emailing support@linksys.com several times and not ONCE have I received a reply.
Cheers!
Cheers!
ASKER
Dangit. Sorry, Jon. About perhaps being explicitly blocked, I cannot confirm/deny that they have or have not blocked my IP, but there is no reason for them to have, and, I don't think they exercise that much granularity in their user administration. It's a pretty anonymous, public site. Plus, like I said, I can administer my account from the web-based front end at their site.
ASKER
Yeah, lr, the 800 #'s in the contact page on their site
http://www.linksys.com/contact/contact.asp. They tout 24/7 support, and I got a tech in less than 20 minutes. The first tech promised an e-mail of the firmware, and after nothing in my inbox for an hour I had to call back and push the issue ;) I got it after about another hour. -Apparently they had to route the request to another department. I have not been able to apply the downgrade,' yet, tho. As soon as I do tonight, I'll test & let y'all know...
http://www.linksys.com/contact/contact.asp. They tout 24/7 support, and I got a tech in less than 20 minutes. The first tech promised an e-mail of the firmware, and after nothing in my inbox for an hour I had to call back and push the issue ;) I got it after about another hour. -Apparently they had to route the request to another department. I have not been able to apply the downgrade,' yet, tho. As soon as I do tonight, I'll test & let y'all know...
ASKER
Yeah, lr, the 800 #'s in the contact page on their site
http://www.linksys.com/contact/contact.asp. They tout 24/7 support, and I got a tech in less than 20 minutes. The first tech promised an e-mail of the firmware, and after nothing in my inbox for an hour I had to call back and push the issue ;) I got it after about another hour. -Apparently they had to route the request to another department. I have not been able to apply the downgrade,' yet, tho. As soon as I do tonight, I'll test & let y'all know...
http://www.linksys.com/contact/contact.asp. They tout 24/7 support, and I got a tech in less than 20 minutes. The first tech promised an e-mail of the firmware, and after nothing in my inbox for an hour I had to call back and push the issue ;) I got it after about another hour. -Apparently they had to route the request to another department. I have not been able to apply the downgrade,' yet, tho. As soon as I do tonight, I'll test & let y'all know...
All of the possibilities you asked about are possible (port translation, source address translation, blocking ICMP), but are likely not the problem as I don't think the linksys does anything like this by default, if it can do it at all.
OK, a little history
ICMP messages do not use ports like TCP connections do - there are simply a number of different message types (15 I think), and they are sent (or returned) based on certain behaviours of certain TCP/IP networking software.
When you ping, you are sending an ICMP messge type of "Echo request" (I forget what message number to which that corresponds), and the remote end (assuming it's not blocking your requests, or it's own replies) will send an ICMP message type of "Echo reply" (once again I forget the message ID). If the remote host is not responding, the remote host's local router might notice and send back an ICMP message of type "Host unreachable" (linux functioning as a router will do this).
When you attempt a TCP or UDP connection to a specific host, that remote host might respond with an ICMP message of type "Port unreachable", indicating that the remote hosts is not accepting connections on that port.
So you see why it is so strange to get the latter message type when attempting a simple ping - someone out there is sending you ICMP "port unreachable" messages, which should never be the response from an ICMP "echo request" message. I'm guessing this is an incorrect or overzealous attempt at blocking you, since you say it affects all local machines (which it certainly would do if you're using NAT on a single IP), and other users of the service do not encounter such problems. You probably got hacked or infested somehow at one point and the remote server decided to shut you down since you were probably unwittingly probing it from your network due to the infestation. I run a public server, and folks are invariably surprised when our IDS blocks them ("You mean I can't access your server because I tried to telnet to it? Why not?")
If you were using unix then we could figure this out in 5 seconds with hping and tcptraceroute - can you find either of those tools for w2k?
Cheers,
-Jon
P.S. If all other sites work fine for you, I'd stop wasting time fooling with the Linksys immediately.
OK, a little history
ICMP messages do not use ports like TCP connections do - there are simply a number of different message types (15 I think), and they are sent (or returned) based on certain behaviours of certain TCP/IP networking software.
When you ping, you are sending an ICMP messge type of "Echo request" (I forget what message number to which that corresponds), and the remote end (assuming it's not blocking your requests, or it's own replies) will send an ICMP message type of "Echo reply" (once again I forget the message ID). If the remote host is not responding, the remote host's local router might notice and send back an ICMP message of type "Host unreachable" (linux functioning as a router will do this).
When you attempt a TCP or UDP connection to a specific host, that remote host might respond with an ICMP message of type "Port unreachable", indicating that the remote hosts is not accepting connections on that port.
So you see why it is so strange to get the latter message type when attempting a simple ping - someone out there is sending you ICMP "port unreachable" messages, which should never be the response from an ICMP "echo request" message. I'm guessing this is an incorrect or overzealous attempt at blocking you, since you say it affects all local machines (which it certainly would do if you're using NAT on a single IP), and other users of the service do not encounter such problems. You probably got hacked or infested somehow at one point and the remote server decided to shut you down since you were probably unwittingly probing it from your network due to the infestation. I run a public server, and folks are invariably surprised when our IDS blocks them ("You mean I can't access your server because I tried to telnet to it? Why not?")
If you were using unix then we could figure this out in 5 seconds with hping and tcptraceroute - can you find either of those tools for w2k?
Cheers,
-Jon
P.S. If all other sites work fine for you, I'd stop wasting time fooling with the Linksys immediately.
OK, I might have been a bit hasty with my advice to give up on the linksys - not being completely familiar with all of its security settings, I cannot rule out that it has not blocked *all* of your internal machines, but it seems extremely unlikely, given that it affects *all* of your local machines, and only a single remote site.
Cheers,
-Jon
Cheers,
-Jon
ASKER
Grrrr. Thanks, Jon. I understand what you're saying here, believe it or not, with as much research I've done in the last week on this crap! I consider it highly unlikely that I've been blocked at the server, how would they know what IP I'm coming in on -I could be a dial-up or other DHCP/PPP Internet user -but I'll send them an e-mail to be sure. FYI, I just got off the phone, AGAIN, with Linksys support. They mentioned that, in the lab, after about two years of some good pounding on a similar model, they were able to make the thing behave in the same manner. After extensive research, they discovered that an individual board-level component within the router had failed. They could get to the internet, but certain forwarding functions were not operating correctly, causing specific types of access to fail. No firmware mod or update would fix the problem. If this is the case w/ my router, because it is out of warranty, I would have to replace it. So... I guess I'm off to pick up a similar model. I'll keep you posted.
Also FYI, I ran a sniffer on a connect attempt to the server in question, and to a known good connection. An inspection of packets from both attempts showed Destination Unreachable/Destination Port Unreachable messages from both connections/attempts, however the second, to a known working connection (in this case, the linksys ftp server) still worked, and I was able to access their public ftp site.
Ugh. Can I switch professions to say, a farmer?
I'll be in touch...
Jay
Also FYI, I ran a sniffer on a connect attempt to the server in question, and to a known good connection. An inspection of packets from both attempts showed Destination Unreachable/Destination Port Unreachable messages from both connections/attempts, however the second, to a known working connection (in this case, the linksys ftp server) still worked, and I was able to access their public ftp site.
Ugh. Can I switch professions to say, a farmer?
I'll be in touch...
Jay
It's very easy to be a bad farmer, but very hard to be a good one. (I'm just glad Mom and Dad stopped drinking the well water before they grew extra limbs).
Here is a page that lists the different ICMP message types (looks like there are 18 instead of 15 message types - oops)
http://www.liquifried.com/docs/useful/ICMPtypes.html
Can you confirm which subtype of message ID 3 you were receiving (type 1 [host unreachable] or type 3 [port unreachable])?
Alos, since you ran a sniffer, can you tell us what host was generating those messages (what was the source address of those messages)?
Cheers,
-Jon
Here is a page that lists the different ICMP message types (looks like there are 18 instead of 15 message types - oops)
http://www.liquifried.com/docs/useful/ICMPtypes.html
Can you confirm which subtype of message ID 3 you were receiving (type 1 [host unreachable] or type 3 [port unreachable])?
Alos, since you ran a sniffer, can you tell us what host was generating those messages (what was the source address of those messages)?
Cheers,
-Jon
ASKER
Hehehe, yes I can, Jon. It was my ROUTER! -And it was indeed message type 3 (Port). Believe me, I have spent WAY too much time on this, lately. I instantly grasped what you asked (eminem, I am not). SRC=192.168.1.1 DEST=192.168.1.52 blah blah blah... I saved the captured packets, if you want to check 'em out...
So yeah. I am getting ICMP Destination Unreachable/Port Unreachable back from my linksys. Which... Gee... I STILL don't know what that means! -Other than it probably ISN'T the target server I'm trying to connect to.
I'm going to leave no stone unturned before I go ahead & buy another one of these things. Tonight, I'm going to try various resets & timed (> 30 minute) hard power-downs of all the networking hardware -maybe even leave it all off overnight. I read a post somewhere that that fixed things for someone. I may try spoofing my computer's MAC at the router.
Da doot da dooo, gee this is fun...
Thanks for ... 'being around?' Haha
Jay
So yeah. I am getting ICMP Destination Unreachable/Port Unreachable back from my linksys. Which... Gee... I STILL don't know what that means! -Other than it probably ISN'T the target server I'm trying to connect to.
I'm going to leave no stone unturned before I go ahead & buy another one of these things. Tonight, I'm going to try various resets & timed (> 30 minute) hard power-downs of all the networking hardware -maybe even leave it all off overnight. I read a post somewhere that that fixed things for someone. I may try spoofing my computer's MAC at the router.
Da doot da dooo, gee this is fun...
Thanks for ... 'being around?' Haha
Jay
ASKER
Hehehe, yes I can, Jon. It was my ROUTER! -And it was indeed message type 3 (Port). Believe me, I have spent WAY too much time on this, lately. I instantly grasped what you asked (eminem, I am not). SRC=192.168.1.1 DEST=192.168.1.52 blah blah blah... I saved the captured packets, if you want to check 'em out...
So yeah. I am getting ICMP Destination Unreachable/Port Unreachable back from my linksys. Which... Gee... I STILL don't know what that means! -Other than it probably ISN'T the target server I'm trying to connect to.
I'm going to leave no stone unturned before I go ahead & buy another one of these things. Tonight, I'm going to try various resets & timed (> 30 minute) hard power-downs of all the networking hardware -maybe even leave it all off overnight. I read a post somewhere that that fixed things for someone. I may try spoofing my computer's MAC at the router.
Da doot da dooo, gee this is fun...
Thanks for ... 'being around?' Haha
Jay
So yeah. I am getting ICMP Destination Unreachable/Port Unreachable back from my linksys. Which... Gee... I STILL don't know what that means! -Other than it probably ISN'T the target server I'm trying to connect to.
I'm going to leave no stone unturned before I go ahead & buy another one of these things. Tonight, I'm going to try various resets & timed (> 30 minute) hard power-downs of all the networking hardware -maybe even leave it all off overnight. I read a post somewhere that that fixed things for someone. I may try spoofing my computer's MAC at the router.
Da doot da dooo, gee this is fun...
Thanks for ... 'being around?' Haha
Jay
ASKER
oops... I just realised... I left this page open in a minimized browser, and came back to it and refreshed to check if there was a response. There was a little blurb about needing to retry the page load (I clicked [ ok ] so fast I missed the details)... I guess that is what is re-posting my message - sorry! 'Won't do it again.
ASKER
OK Jon, and/or anybody else that has been following this thread:
I got it to work. Like I have said, I have been doing a TON of research on this. One of the pages/support threads I stumbled across mentioned a trick, that was actually suggested for an issue connecting through a Linksys to a particular cable provider. I found the info while I was at work and I don't recall the site now here at home. When I get to work tomorrow, I'll find it and post it here.
In a nutshell, all I did was clone one of my PCs' NIC/MAC address at the WAN side of the router. I did not know what to expect, doing this, but, after rebooting the router, then the modem, I did a 'status' on the router, and the MAC address reported on the LAN side of the router was now what the MAC address USED to be on the WAN side, and the WAN MAC was what I had input for the clone. I tested the application and it works. I tested some other Internet apps I run and they work. I haven't gone through everything, and, I could uncover other issues as a result of doing this, so, we'll see...
FYI, I noticed that the IP address the router got from the Modem is the same IP my PC got when I hooked it up DHCP directly to the modem. I expected this, in fact I was counting on it.
I sure would like to know why I had to do all this, when, it worked just fine in default configuration less than 2 months ago. Odd...
I got it to work. Like I have said, I have been doing a TON of research on this. One of the pages/support threads I stumbled across mentioned a trick, that was actually suggested for an issue connecting through a Linksys to a particular cable provider. I found the info while I was at work and I don't recall the site now here at home. When I get to work tomorrow, I'll find it and post it here.
In a nutshell, all I did was clone one of my PCs' NIC/MAC address at the WAN side of the router. I did not know what to expect, doing this, but, after rebooting the router, then the modem, I did a 'status' on the router, and the MAC address reported on the LAN side of the router was now what the MAC address USED to be on the WAN side, and the WAN MAC was what I had input for the clone. I tested the application and it works. I tested some other Internet apps I run and they work. I haven't gone through everything, and, I could uncover other issues as a result of doing this, so, we'll see...
FYI, I noticed that the IP address the router got from the Modem is the same IP my PC got when I hooked it up DHCP directly to the modem. I expected this, in fact I was counting on it.
I sure would like to know why I had to do all this, when, it worked just fine in default configuration less than 2 months ago. Odd...
Glad you made it work - I cannot explain why it only affected one particular site, nor can I figure out why adjusting your MAC like that fixed it, nor can I explain why your router was handing out ICMP messages (type 3:3) - but I'll sure make some wild guesses hehe...
1. Your router probably does SNAT on inbound packets (makes all packets look like they came from the router - would be nice to have a sniffer on the WAN side to make sure)
2. Some bonehead at your ISP thought that they should blcok your access to your remote server because they didn't like what you were doing (maybe transferring too much data, using suspicious ports, etc).
3. You worked around the filter by changing your MAC.
Alternately, your router could just be very wacky - I tend to avoid low-end appliance routers for just such reasons (we may never know exactly why it works, or why it failed). In any case, I would be very interested to hear what Linksys says about this, and maybe your ISP as well.
BTW, who is yor provider? I'd like to know to compare against other folks with future similar problems.
Cheers,
-Jon
1. Your router probably does SNAT on inbound packets (makes all packets look like they came from the router - would be nice to have a sniffer on the WAN side to make sure)
2. Some bonehead at your ISP thought that they should blcok your access to your remote server because they didn't like what you were doing (maybe transferring too much data, using suspicious ports, etc).
3. You worked around the filter by changing your MAC.
Alternately, your router could just be very wacky - I tend to avoid low-end appliance routers for just such reasons (we may never know exactly why it works, or why it failed). In any case, I would be very interested to hear what Linksys says about this, and maybe your ISP as well.
BTW, who is yor provider? I'd like to know to compare against other folks with future similar problems.
Cheers,
-Jon
ASKER
Provider is Roadrunner.
ASKER
Here's the place I got the idea from:
http://www.talkbroadband.com/forums/viewthread.php?tid=126
It is interesting to note that, doing this gave me a new WAN-side IP, which could corroborate the theory that somewhere I was being blocked, at the IP level.
It's also interesting because, I really don't know where I got the IP from, the Cable Modem, or my ISP. I understand the cable modem does DHCP/hand out IP's, but, if that's the case, how did the CM get more than one IP from my ISP? -And, if the IP came from my ISP based on the 'new MAC,' I thought the MAC at the CM had to be registered w/ my ISP, in order to get an IP -when the new MAC came in, it should have been rejected?
Blah.. I've about had enough of this...
I hope my adventures help someone else, that's all I have to say...
JW
http://www.talkbroadband.com/forums/viewthread.php?tid=126
It is interesting to note that, doing this gave me a new WAN-side IP, which could corroborate the theory that somewhere I was being blocked, at the IP level.
It's also interesting because, I really don't know where I got the IP from, the Cable Modem, or my ISP. I understand the cable modem does DHCP/hand out IP's, but, if that's the case, how did the CM get more than one IP from my ISP? -And, if the IP came from my ISP based on the 'new MAC,' I thought the MAC at the CM had to be registered w/ my ISP, in order to get an IP -when the new MAC came in, it should have been rejected?
Blah.. I've about had enough of this...
I hope my adventures help someone else, that's all I have to say...
JW
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I e-mailed Linksys support the whole history on this matter, including a link to this thread. I'd like to give them a couple days to respond. If they have anything decent to add, I will add it here. After that point, I will close/accept comment as answer -this thread.
Jay
Jay
ASKER
FYI, grrr, I still haven't heard back from linksys... I don't know what to do here and how to divvy up these points... A little help or siggestions, please?
Jay
Jay
A request for a split has been made at: https://www.experts-exchange.com/questions/20567448/Reduce-points-split-close-question.html
jwelter, I have reduced the original points from 50 to 25. You may now accept one experts comment.
After that, create a new question worth 25 points in the following area: https://www.experts-exchange.com/questions/20527431/Ping-Destination-Port-Unreachable.html
Title it: Points for Expertname (replace with the actual expertname) re 20527431
In the question text, put:
For your help in:
https://www.experts-exchange.com/questions/20527431/Ping-Destination-Port-Unreachable.html
After that, grab the new question URL and come back to this question to let the expert know where you have placed their points (this way they get email notification).
If you need further assistance, or if the "points for" question has not ben created within 2 days, somebody drop me a note here and I will handle.
Thanks.
SpideyMod
Community Support Moderator @Experts Exchange
jwelter, I have reduced the original points from 50 to 25. You may now accept one experts comment.
After that, create a new question worth 25 points in the following area: https://www.experts-exchange.com/questions/20527431/Ping-Destination-Port-Unreachable.html
Title it: Points for Expertname (replace with the actual expertname) re 20527431
In the question text, put:
For your help in:
https://www.experts-exchange.com/questions/20527431/Ping-Destination-Port-Unreachable.html
After that, grab the new question URL and come back to this question to let the expert know where you have placed their points (this way they get email notification).
If you need further assistance, or if the "points for" question has not ben created within 2 days, somebody drop me a note here and I will handle.
Thanks.
SpideyMod
Community Support Moderator @Experts Exchange
ASKER
Not a direct solution to the problem, but excellent wisdom in the arena, and very much appreciated time and effort.
Thanks, Jon!
Thanks, Jon!
ASKER
Points divy - for lrmoore - thanks lrmoore!
Your points are here:
https://www.experts-exchange.com/questions/20567487/Points-for-lrmoore-RE-20527431.html
(I'm assuming you go there & propose an answer or comment or whatever -then I'll go award you points)
JW
Your points are here:
https://www.experts-exchange.com/questions/20567487/Points-for-lrmoore-RE-20527431.html
(I'm assuming you go there & propose an answer or comment or whatever -then I'll go award you points)
JW
If you did upgrade the firmware and that broke it, then you might need to setup "trigger port" on those two ports since they are different than standard ftp.
But, since you can't even ping the server, there might be something else going on. Can you do a traceroute and see where it breaks? You might have to contact your ISP and see if they started blocking those upper ports for some reason.
I doubt it's the sharkfin modem (I have one of those, too) if you can do everything else you need to do.