ICMP 435 Destination unreachable (Communication administratively filtered)

Alan DeKok aland at deployingradius.com
Wed Aug 11 13:38:41 CEST 2021



> On Aug 11, 2021, at 5:50 AM, Dennis Schneck <dennis.schneck at schulergroup.com> wrote:
> 
> Hello,
> if the Switch sends requests can see only in wireshark this: ICMP 435 Destination unreachable (Communication administratively filtered)
> 
> $ tshark -Y "ip.addr==192.168.1.0/24"
> Capturing on 'eth0'
>   109 12.985452883   192.168.1.78 → 172.16.1.28 RADIUS 407 Access-Request id=5
>   110 12.985550915 172.16.1.28 → 192.168.1.78   ICMP 435 Destination unreachable (Communication administratively filtered)

  If your RADIUS server is 172.16.1.28, then there's a firewall / SELinux / something which is generating that ICMP message.

  FreeRADIUS 

> but in debug mode (raduisd -X) can see nothing.

  Because the Operating System is generating the ICMP messages, and is refusing to send RADIUS packets to FreeRADIUS.

> What did I wrong ?

  No amount of poking the FreeRADIUS configuration will fix this issue.  The issue is in the local operating system.

  Most Linux distributions do not come with such ICMP filters enabled.  So, it's likely something done to your local system.  If not by you, by another administrator.

  Alan DeKok.




More information about the Freeradius-Users mailing list