Default Behaviour of ICMP Unreachable Errors

For different levels of security, the default behavior for ICMP unreachable errors from downstream Juniper Networks device is handled as follows:

• Sessions do not close for ICMP type-3 code-4 messages.

  ICMP messages pass through without dropping sessions. Packets are, however, dropped per session.

• Sessions do not close on receiving any kind of ICMP unreachable messages.
• Sessions store ICMP unreachable message, thereby restricting the number of messages flowing through to 1.

  One ICMP unreachable message is generated globally per router. The remaining ICMP unreachable errors are dropped.

Related Topics

• Junos OS Feature Support Reference for SRX Series and J Series Devices
• Security Policy Applications Overview
• Understanding the ICMP Predefined Policy Application
• Example: Configuring Applications and Application Sets