Article ID: 325122
Article Last Modified on 10/30/2006
APPLIES TO
- Microsoft Windows XP Home Edition
- Microsoft Windows XP Professional
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Professional Edition
- Microsoft Windows NT Server 4.0 Standard Edition
- Microsoft Windows NT Workstation 4.0 Developer Edition
This article was previously published under Q325122
SUMMARY
When you analyze a network trace, you may see Internet Control Message Protocol (ICMP) Type 3 "Destination Unreachable" packets with a code value of hexadecimal 0X0D or decimal 13:
IP: Source Address = <dotted-IP-address-of-router> ICMP: Destination Unreachable: <dotted-IP-address-of-target-host> ICMP: Packet Type = Destination Unreachable ICMP: Unreachable Code = 0x0D
The code value of the ICMP Destination Unreachable packet is 0x0D. The hexadecimal code 0X0D (code decimal 13) translates to "Communication Administratively Prohibited" from Requests for Comments (RFC) 1812:
13 = Communication Administratively Prohibited - generated if a router cannot forward a packet due to administrative filtering;
This is generated if a router cannot forward a packet because of administrative filtering. This is the code value for an administrative denial, which indicates that a router is filtering a port and is not permitting traffic to pass. The packet is typically seen when traffic is refused to pass through a router or a firewall.
For example, if a firewall or a router is not allowing Transmission Control Protocol (TCP) port 139, you may receive the following error messages:
-and-
Additionally, because the user process may ignore the ICMP packet, the redirector and TCP may try many times before they receive these types of error messages.
If a firewall or a router is blocking TCP or User Datagram Protocol (UDP) port 53, the error indicates the reason for the failing Domain Name System (DNS) queries.
The ICMP packet is sent as a response to a DNS name query by using TCP/UDP port 53. To troubleshoot this problem, you can use the tracert command to the destination host. Check the source address for the ICMP packet to identify the router that is sending the packet. In the Detail pane of Network Monitor, you can see the Internet Protocol (IP) header, which displays information about the IP address of the router or the node from where the packet is coming. Contact the router or the firewall administrator to open the filtered port.
MORE INFORMATION
Internet Control Message Protocol (ICMP) Destination Unreachable Code Values
When a packet is undeliverable, a Destination Unreachable ICMP Type 3 message is generated. Type 3 ICMP packets can have a code value of 0 to 15.
The following ICMP Type 3 codes values are defined in RFC 1812:
Hexadecimal Decimal Description --------------------------------------------------------------------------- 0x00 0 Network Unreachable - generated by a router if a forwarding path (route) to the destination network is not available; 0x01 1 Host Unreachable - generated by a router if a forwarding path (route) to the destination host on a directly connected network is not available (does not respond to ARP); 0x02 2 Protocol Unreachable - generated if the transport protocol designated in a datagram is not supported in the transport layer of the final destination; 0x03 3 Port Unreachable - generated if the designated transport protocol (e.g., UDP) is unable to demultiplex the datagram in the transport layer of the final destination but has no protocol mechanism to inform the sender; 0x04 4 Fragmentation Needed and DF Set - generated if a router needs to fragment a datagram but cannot since the DF flag is set; 0x05 5 Source Route Failed - generated if a router cannot forward a packet to the next hop in a source route option; 0x06 6 Destination Network Unknown - This code SHOULD NOT be generated since it would imply on the part of the router that the destination network does not exist (net unreachable code 0 SHOULD be used in place of code 6); 0x07 7 Destination Host Unknown - generated only when a router can determine (from link layer advice) that the destination host does not exist; 0x0B 11 Network Unreachable For Type Of Service - generated by a router if a forwarding path (route) to the destination network with the requested or default TOS is not available; 0x0C 12 Host Unreachable For Type Of Service - generated if a router cannot forward a packet because its route(s) to the destination do not match either the TOS requested in the datagram or the default TOS (0). 0x0D 13 Communication Administratively Prohibited - generated if a router cannot forward a packet due to administrative filtering; 0x0E 14 Host Precedence Violation. Sent by the first hop router to a host to indicate that a requested precedence is not permitted for the particular combination of source/destination host or network, upper layer protocol, and source/destination port; 0x0F 15 Precedence cutoff in effect. The network operators have imposed a minimum level of precedence required for operation, the datagram was sent with a precedence below this level;
Routers may have a configuration option that causes code 13 messages ("Communication Administratively Prohibited") not to be generated. When this option is enabled, no ICMP error message is sent in response to a packet that is dropped because its forwarding is administratively prohibited.
For more information, see Request for Comments 1812: Requirements for IP Version 4 Routers, or see the following book:
Wright, Gary R., and W. Richard Stevens. TCP/IP Illustrated, Volume 2: The Implementation. Addison-Wesley Professional, 1995, ISBN 0-201-63354-X.
For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:
170292 Internet Control Message Protocol (ICMP) Basics
179442 How to Configure a Firewall for Domains and Trusts
159211 Diagnoses and Treatment of Black Hole Routers
Additional query words: ICMP gateway netmon
Keywords: kbinfo KB325122