U110 unable to perform proactive monitoring through 63xx-series router [SOLVED]

Problem

An AT&T VPN Gateway or U110 is configured to perform Proactive Monitoring, but the monitoring tests fail when performed through a 63xx-series router.

Background

The Proactive Monitoring feature of the AT&T VPN Gateway performs a connectivity test on its WAN2 backup connection.  This connectivity test employs a unique type of ICMP packet with type 20 outbound, and the response ICMP packet is of type 21.  Since this is a non-standard ICMP packet, the 63xx-series router's firewall drops the packet, which results in the AT&T VPN Gateway failing its Proactive Monitoring test.

Solution

The firewall of the 63xx-series router must be updated to allow the unique ICMP packets through the cellular connection.  To implement this solution, update the configuration profile of the Accelerated 63xx-series router with the following configuration changes:

  1. Select the Firewall -> Custom rules -> Enable checkbox
  2. Enter the following two firewall rules into the Firewall -> Custom rules -> Rules option:
iptables -I FORWARD -p icmp --icmp-type 20 -j ACCEPT
iptables -I FORWARD -p icmp --icmp-type 21 -j ACCEPT