ICS is a Black Hole Router

[William Lipp]

I've been trying to figure out why my ICS Gateway can browse to
www.ebay.com and www.google.com and www.abcnews.go.com but the ICS
client computers cannot. Google found some messages from this news
group in July 2003 in which Ace Fekay [MVP] directs attention to the
article on How to Troubleshoot BlackHole Routers
http://support.microsoft.com/?id=314825

They fixed the problem with "Method 3," making permanently smaller
MTUs at the ICS client stations. They appear to not have realized
that the ICS Gateway is the Black Hole Router. Hence the Gateway
Machine works fine, but everyone else has a Black Hole Router in their
path to the internet.

The right fix is a variant of "Method 2" = Configure Intermediate
Routers. In this case the ICS Gateway needs to relay the ICMP Type 3
Code 4 messages ("destination unreachable, don't fragment (DF) bit
sent and fragmentation required").

Are there Registry Entries to enable this? Or is this a bug that
needs to be reported?

 

[Ace Fekay [MVP]]

In

I've been trying to figure out why my ICS Gateway can browse to
www.ebay.com and www.google.com and www.abcnews.go.com but the ICS
client computers cannot. Google found some messages from this news
group in July 2003 in which Ace Fekay [MVP] directs attention to the
article on How to Troubleshoot BlackHole Routers
http://support.microsoft.com/?id=314825

They fixed the problem with "Method 3," making permanently smaller
MTUs at the ICS client stations. They appear to not have realized
that the ICS Gateway is the Black Hole Router. Hence the Gateway
Machine works fine, but everyone else has a Black Hole Router in their
path to the internet.

The right fix is a variant of "Method 2" = Configure Intermediate
Routers. In this case the ICS Gateway needs to relay the ICMP Type 3
Code 4 messages ("destination unreachable, don't fragment (DF) bit
sent and fragmentation required").

Are there Registry Entries to enable this? Or is this a bug that
needs to be reported?

Yeah, that be me!

Not that I'm aware of about any reg changes. Usually we don't recommend ICS
for AD networks (due to ICS not being configurable and DNS and DHCP
serivices clashing). Rather use NAT.

Not sure what you have running, but usually I see this with an ADSL line,
such as Verizon's or other low end ADSL links. The ADSL modem chops the MTUs
below the default 1500 and causes mutliple issues, which is what PPPoE
requires (and what they use). SDSL, T1 and cable do not do this. Also, an
MTU lower than 1500 will kill LDAP communication, such as logons or DCs
trying to communicate across that link.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[William Lipp]

In

Yeah, that be me!

Not that I'm aware of about any reg changes. Usually we don't recommend ICS
for AD networks (due to ICS not being configurable and DNS and DHCP
serivices clashing). Rather use NAT.

Not sure what you have running, but usually I see this with an ADSL line,
such as Verizon's or other low end ADSL links. The ADSL modem chops the MTUs
below the default 1500 and causes mutliple issues, which is what PPPoE
requires (and what they use). SDSL, T1 and cable do not do this. Also, an
MTU lower than 1500 will kill LDAP communication, such as logons or DCs
trying to communicate across that link.

I could reach www.ebay.com and www.abcnews.go.com and www,google.com
from the gateway machine. Only the "ICS client" machines - all of
them - failed to connect. I don't think problems in my ADSL
connection can explain that. I think the black hole router is clearly
identified as ICS by the test from both the gateway and the ICS
clients using

ping www.ebay.com -f -l 1472

from Gateway: Always "need to fragment"
from Clients: Always times out.

As an MVP, do you have a way to make a bug report about this that gets
taken seriously?

 

[Ace Fekay [MVP]]

Yes I do, but I have to look at all the facts first before trying to submit
anything. MS Engineers also monitor all the posts here, so rest assured..

So you do have an ADSL connection on the otherside of the ICS machine. In my
experience, that is waht is causing it. My feelings is that you have the
PPPoE software (WinPoet?) installed to support the ADSL modem, I believe
that is what is causing the ICS to be a blackhole router.

If you have two "regular" interfaces (such as two NICs and not one NIC and a
PPPoE interface) then this would not be happening.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Michael Johnston [MSFT]]

ICS is indeed a Black Hole router. The problem here is that with DSl connections you typically run PPPOE software to make it work. This adds an 8 byte
wrapper around the ethernet frame. If ICS receives a 1500 byte packet it cannot send this packet out the DSL line since the packet would exceed the 1500 byte
limit. ICS unfortunately silently discards the packet. At this point there is no magic fix other than lowering the MTU size on all clients behind the ICS machine.
As stated in an earlier post, ICS isn't recommended in this situation. RRAS NAT or ISA would be a much better solution.

Thank you,
Mike Johnston
Microsoft Network Support
--

This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated.