U110 unable to perform proactive monitoring through 63xx-series router [SOLVED]
Problem
An AT&T VPN Gateway or U110 is configured to perform Proactive Monitoring, but the monitoring tests fail when performed through a 63xx-series router.
Background
The Proactive Monitoring feature of the AT&T VPN Gateway performs a connectivity test on its WAN2 backup connection. This connectivity test employs a unique type of ICMP packet with type 20 outbound, and the response ICMP packet is of type 21. Since this is a non-standard ICMP packet, the 63xx-series router's firewall drops the packet, which results in the AT&T VPN Gateway failing its Proactive Monitoring test.
Solution
The firewall of the 63xx-series router must be updated to allow the unique ICMP packets through the cellular connection. To implement this solution, update the configuration profile of the Accelerated 63xx-series router with the following configuration changes:
- Select the Firewall -> Custom rules -> Enable checkbox
- Enter the following two firewall rules into the Firewall -> Custom rules -> Rules option:
iptables -I FORWARD -p icmp --icmp-type 20 -j ACCEPT iptables -I FORWARD -p icmp --icmp-type 21 -j ACCEPT