Internet Control Message Protocol "Destination Unreachable" (Code = 0x0D) Packets (325122)


The information in this article applies to:

  • Microsoft Windows XP Home Edition
  • Microsoft Windows XP Professional
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows NT Server 4.0
  • Microsoft Windows NT Workstation 4.0
This article was previously published under Q325122

SUMMARY

When you analyze a network trace, you may see Internet Control Message Protocol (ICMP) Type 3 "Destination Unreachable" packets with a code value of hexadecimal 0X0D or decimal 13: 

IP: Source Address = <dotted-IP-address-of-router>
ICMP: Destination Unreachable: <dotted-IP-address-of-target-host>
   ICMP: Packet Type = Destination Unreachable
   ICMP: Unreachable Code = 0x0D

The code value of the ICMP Destination Unreachable packet is 0x0D. The hexadecimal code 0X0D (code decimal 13) translates to "Communication Administratively Prohibited" from Requests for Comments (RFC) 1812: 

   13 = Communication Administratively Prohibited - generated if a
        router cannot forward a packet due to administrative filtering;

This is generated if a router cannot forward a packet because of administrative filtering. This is the code value for an administrative denial, which indicates that a router is filtering a port and is not permitting traffic to pass. The packet is typically seen when traffic is refused to pass through a router or a firewall.

For example, if a firewall or a router is not allowing Transmission Control Protocol (TCP) port 139, you may receive the following error messages:
Error 121: The semaphore timeout period has expired (ERROR_SEM_TIMEOUT).

-and-

Error 1231: The remote network is not reachable by the transport (ERROR_NETWORK_UNREACHABLE).
Additionally, because the user process may ignore the ICMP packet, the redirector and TCP may try many times before they receive these types of error messages.

If a firewall or a router is blocking TCP or User Datagram Protocol (UDP) port 53, the error indicates the reason for the failing Domain Name System (DNS) queries.

The ICMP packet is sent as a response to a DNS name query by using TCP/UDP port 53. To troubleshoot this problem, you can use the tracert command to the destination host. Check the source address for the ICMP packet to identify the router that is sending the packet. In the Detail pane of Network Monitor, you can see the Internet Protocol (IP) header, which displays information about the IP address of the router or the node from where the packet is coming. Contact the router or the firewall administrator to open the filtered port.

MORE INFORMATION

Internet Control Message Protocol (ICMP) Destination Unreachable Code Values

When a packet is undeliverable, a Destination Unreachable ICMP Type 3 message is generated. Type 3 ICMP packets can have a code value of 0 to 15.

The following ICMP Type 3 codes values are defined in RFC 1812: 

Hexadecimal  Decimal  Description
---------------------------------------------------------------------------
0x00         0        Network Unreachable - generated by a router if a forwarding path
                     (route) to the destination network is not available;

0x01         1        Host Unreachable - generated by a router if a forwarding path
                      (route) to the destination host on a directly connected network
                      is not available (does not respond to ARP);

0x02         2        Protocol Unreachable - generated if the transport protocol
                      designated in a datagram is not supported in the transport layer
                      of the final destination;

0x03         3        Port Unreachable - generated if the designated transport protocol
                      (e.g., UDP) is unable to demultiplex the datagram in the
                      transport layer of the final destination but has no protocol
                      mechanism to inform the sender;

0x04         4        Fragmentation Needed and DF Set - generated if a router needs to
                      fragment a datagram but cannot since the DF flag is set;

0x05         5        Source Route Failed - generated if a router cannot forward a
                      packet to the next hop in a source route option;

0x06         6        Destination Network Unknown - This code SHOULD NOT be generated
                      since it would imply on the part of the router that the
                      destination network does not exist (net unreachable code 0
                      SHOULD be used in place of code 6);

0x07         7        Destination Host Unknown - generated only when a router can
                      determine (from link layer advice) that the destination host
                      does not exist;

0x0B         11       Network Unreachable For Type Of Service - generated by a router
                      if a forwarding path (route) to the destination network with the
                      requested or default TOS is not available;

0x0C         12       Host Unreachable For Type Of Service - generated if a router
                      cannot forward a packet because its route(s) to the destination
                      do not match either the TOS requested in the datagram or the
                      default TOS (0).

0x0D         13       Communication Administratively Prohibited - generated if a
                      router cannot forward a packet due to administrative filtering;

0x0E         14       Host Precedence Violation.  Sent by the first hop router to a
                      host to indicate that a requested precedence is not permitted
                      for the particular combination of source/destination host or
                      network, upper layer protocol, and source/destination port;

0x0F         15       Precedence cutoff in effect.  The network operators have imposed
                      a minimum level of precedence required for operation, the
                      datagram was sent with a precedence below this level;

Routers may have a configuration option that causes code 13 messages ("Communication Administratively Prohibited") not to be generated. When this option is enabled, no ICMP error message is sent in response to a packet that is dropped because its forwarding is administratively prohibited.

For more information, see Request for Comments 1812: Requirements for IP Version 4 Routers, or see the following book:

Wright, Gary R., and W. Richard Stevens. TCP/IP Illustrated, Volume 2: The Implementation. Addison-Wesley Professional, 1995, ISBN 0-201-63354-X.

For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:

170292 Internet Control Message Protocol (ICMP) Basics

179442 How to Configure a Firewall for Domains and Trusts

159211 Diagnoses and Treatment of Black Hole Routers

Modification Type:MajorLast Reviewed:6/6/2003
Keywords:kbinfo KB325122
©2002 Microsoft Corporation. All rights reserved.