Article ID: 325122 - View products that this article applies to.
This article was previously published under Q325122
When you analyze a network trace, you may see Internet Control Message Protocol (ICMP) Type 3 "Destination Unreachable" packets with a code value of hexadecimal 0X0D or decimal 13:
The code value of the ICMP Destination Unreachable packet is 0x0D. The hexadecimal code 0X0D (code decimal 13) translates to "Communication Administratively Prohibited" from Requests for Comments (RFC) 1812:
IP: Source Address = <dotted-IP-address-of-router> ICMP: Destination Unreachable: <dotted-IP-address-of-target-host> ICMP: Packet Type = Destination Unreachable ICMP: Unreachable Code = 0x0D
This is generated if a router cannot forward a packet because of administrative filtering. This is the code value for an administrative denial, which indicates that a router is filtering a port and is not permitting traffic to pass. The packet is typically seen when traffic is refused to pass through a router or a firewall.
13 = Communication Administratively Prohibited - generated if a router cannot forward a packet due to administrative filtering;
For example, if a firewall or a router is not allowing Transmission Control Protocol (TCP) port 139, you may receive the following error messages:
Error 121: The semaphore timeout period has expired (ERROR_SEM_TIMEOUT).
Additionally, because the user process may ignore the ICMP packet, the redirector and TCP may try many times before they receive these types of error messages.
Error 1231: The remote network is not reachable by the transport (ERROR_NETWORK_UNREACHABLE).
If a firewall or a router is blocking TCP or User Datagram Protocol (UDP) port 53, the error indicates the reason for the failing Domain Name System (DNS) queries.
The ICMP packet is sent as a response to a DNS name query by using TCP/UDP port 53. To troubleshoot this problem, you can use the tracert command to the destination host. Check the source address for the ICMP packet to identify the router that is sending the packet. In the Detail pane of Network Monitor, you can see the Internet Protocol (IP) header, which displays information about the IP address of the router or the node from where the packet is coming. Contact the router or the firewall administrator to open the filtered port.
Internet Control Message Protocol (ICMP) Destination Unreachable Code ValuesWhen a packet is undeliverable, a Destination Unreachable ICMP Type 3 message is generated. Type 3 ICMP packets can have a code value of 0 to 15.
The following ICMP Type 3 codes values are defined in RFC 1812:
Routers may have a configuration option that causes code 13 messages ("Communication Administratively Prohibited") not to be generated. When this option is enabled, no ICMP error message is sent in response to a packet that is dropped because its forwarding is administratively prohibited.
Hexadecimal Decimal Description --------------------------------------------------------------------------- 0x00 0 Network Unreachable - generated by a router if a forwarding path (route) to the destination network is not available; 0x01 1 Host Unreachable - generated by a router if a forwarding path (route) to the destination host on a directly connected network is not available (does not respond to ARP); 0x02 2 Protocol Unreachable - generated if the transport protocol designated in a datagram is not supported in the transport layer of the final destination; 0x03 3 Port Unreachable - generated if the designated transport protocol (e.g., UDP) is unable to demultiplex the datagram in the transport layer of the final destination but has no protocol mechanism to inform the sender; 0x04 4 Fragmentation Needed and DF Set - generated if a router needs to fragment a datagram but cannot since the DF flag is set; 0x05 5 Source Route Failed - generated if a router cannot forward a packet to the next hop in a source route option; 0x06 6 Destination Network Unknown - This code SHOULD NOT be generated since it would imply on the part of the router that the destination network does not exist (net unreachable code 0 SHOULD be used in place of code 6); 0x07 7 Destination Host Unknown - generated only when a router can determine (from link layer advice) that the destination host does not exist; 0x0B 11 Network Unreachable For Type Of Service - generated by a router if a forwarding path (route) to the destination network with the requested or default TOS is not available; 0x0C 12 Host Unreachable For Type Of Service - generated if a router cannot forward a packet because its route(s) to the destination do not match either the TOS requested in the datagram or the default TOS (0). 0x0D 13 Communication Administratively Prohibited - generated if a router cannot forward a packet due to administrative filtering; 0x0E 14 Host Precedence Violation. Sent by the first hop router to a host to indicate that a requested precedence is not permitted for the particular combination of source/destination host or network, upper layer protocol, and source/destination port; 0x0F 15 Precedence cutoff in effect. The network operators have imposed a minimum level of precedence required for operation, the datagram was sent with a precedence below this level;
For more information, see Request for Comments 1812: Requirements for IP Version 4 Routers, or see the following book:
Wright, Gary R., and W. Richard Stevens. TCP/IP Illustrated, Volume 2: The Implementation. Addison-Wesley Professional, 1995, ISBN 0-201-63354-X.For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/170292/EN-US/ )Internet Control Message Protocol (ICMP) Basics
(http://support.microsoft.com/kb/179442/EN-US/ )How to Configure a Firewall for Domains and Trusts
(http://support.microsoft.com/kb/159211/EN-US/ )Diagnoses and Treatment of Black Hole Routers
Article ID: 325122 - Last Review: October 30, 2006 - Revision: 2.1