Ask Your Question

How to avoid ICMP "Destination Protocol Unreachable" with ERSPAN to WIndows 10

asked 2020-08-03 15:12:16 +0000

LoupQui gravatar image

I'm attempting to run an ERSPAN capture from a Cisco 3850 (origin IP on subnet "A") to a Windows 10 workstation (running WS 3.2.5 on subnet "B", separate 3850 switch) through a Cisco NX7004 core. Packets are received properly from the origin switch when the tunnel is first established, but each is answered by the workstation with an ICMP Destination Protocol Unreachable (ICMP type 3, code 2). After about 7 seconds of this, the core switch* stops forwarding / routing the tunnel. Use of the "protocol 0x2f" capture filter has no effect, as the ICMP packets appear to be originating from either the OS or the NIC driver.
Any thoughts on how one might disable the ICMP response?

*Presumably the core. Running the ERSPAN where the source and destination devices are connected to the same switch does not result in a blocked stream (the ICMP packets are still present, just not acted upon).

edit retag flag offensive close merge delete


Are you de-encapsulating the packets on the subnet "B" switch or sending to the PC IP address?
ERSPAN – My New Favorite Packet Capturing Trick

Chuckc gravatar imageChuckc ( 2020-08-03 15:43:31 +0000 )edit

Sending to the destination PC IP as per the link you reference.

LoupQui gravatar imageLoupQui ( 2020-08-03 15:45:40 +0000 )edit

Is there a rule in Windows firewall to allow the GRE packets in?

Chuckc gravatar imageChuckc ( 2020-08-03 16:12:05 +0000 )edit

All firewalls are completely disabled, yet the behavior persists.
Thank you all for the assistance. I'm chocking this one up to "Sorry, not with Windows you don't!"

LoupQui gravatar imageLoupQui ( 2020-08-03 20:17:38 +0000 )edit

1 Answer

Sort by » oldest newest most voted

answered 2020-08-03 15:20:07 +0000

grahamb gravatar image

updated 2020-08-05 14:09:20 +0000

Have you unbound all protocols from the workstation NIC to make it passive?

See a blog post from @Jasper here.

edit flag offensive delete link more


All protocols except for the npcap driver and IPv4 are disabled / unbound. I presume this interface must have an IP in order to receive the ERSPAN tunnel.
Reading through that post now...

LoupQui gravatar imageLoupQui ( 2020-08-03 15:39:17 +0000 )edit

Getting outside my knowledge boundaries here, but are you terminating the ERSPAN tunnel on the PC or the core switch? Another blog post here describes sending the ERSPAN traffic directly to the PC where Wireshark can unwrap it. I have no idea if you need IPv4 bound in this case.

Worst case you can empirically test unbinding the IPv4 entry and see what happens.

grahamb gravatar imagegrahamb ( 2020-08-03 15:48:04 +0000 )edit

Thank you for the suggestion. Unbinding was worth a go, but didn't work.
Big thanks for the @Jasper post(s)! That should be required reading for all packet enthusiasts :-).

LoupQui gravatar imageLoupQui ( 2020-08-03 20:16:19 +0000 )edit

You're welcome! This is a curious issue, unbinding everything except the npcap binding should mute the NIC completely. I've never seen one still reacting to anything if I did that...

Jasper gravatar imageJasper ( 2020-08-05 13:43:55 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2020-08-03 15:12:16 +0000

Seen: 65 times

Last updated: Aug 05