Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Daniel_Kavan
Advisor

VPN tunnel keep alive in a world turning ICMP OFF

Jump to solution

So, the question came up.   Do we need to allow ICMP to Linux servers to keep the tunnel alive?   From experience the answer seems to be NO it doesn't need to be allowed.   But what are the repercussions if any?  I wanted to put it up for discussion.  To me it seems like it would at least create some unwanted Overhead.  To me having ICMP off on the Linux servers along with turning telnet, tcpdump, traceroute etc is making network administration a bit more challenging.

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Between Dead Peer Detection and Check Point's proprietary tunnel test packets, you shouldn't (in theory) need to allow ICMP to keep the VPN tunnel up.
That said, it makes it difficult to know if the remote server is alive if you disable ICMP. 

View solution in original post

1 Reply
PhoneBoy
Admin
Admin

Between Dead Peer Detection and Check Point's proprietary tunnel test packets, you shouldn't (in theory) need to allow ICMP to keep the VPN tunnel up.
That said, it makes it difficult to know if the remote server is alive if you disable ICMP.