This may be a duplicate, but I think it's of interest.
ICMP Source Quench is REALLY Primitive.
It is issued by routers along a network path that can't handle the traffic
load being fed to it by a particular device. It is telling the server
(or source in general) to back off, and not send any more traffic. It's
really that crude. A router will generally send these packets when it is
being forced to discard packets that it can't buffer, and as such represents
a loss (and required retransmission) of packets.
The consensus was to NOT allow these through the firewall, but rather, to
tune the network to minimize their ocurrence.
In our case it was caused by a server -> router that were both on FDDI nets
feeding packets to an ethernet port off of the FDDI router. The ethernet
port didn't have the buffering necessary to handle the load being dumped
from a FDDI based server.
The solution in this particular case was to outfit the FDDI-Ethernet router
with 2 FDDI cards, and then attach the second FDDI ring to a FDDI to Ethernet
switch. This solved the problem, and improved performance.
The real lesson here (demonstrated in other cases as well) is that whenever
you see a serious performance problem, it is necessary to look at any ICMP traffic
from any routers along the way as well. ICMP Source Quench, ICMP Unreachable,
Fragmenting, and others are very real clues as to the health of your network.
BobK
|
|
