From: Tim Bass <bass@linux.silkroad.com>

...

Tim, unfortunately ICMP UNREACHABLE can be sent some intermediate router during routing flip process. For this reason some customer prefer cut off this sort of ICMP - it would break running TCP connection.

Understood, however the conditions to terminate the connection is not just as simple as UNREACHABLE. A few possible conditions: (1) UNREACHABLE && TCP_SYN_STATE (2) UNREACHABLE && TCP_SYN_STATE && sk->time_in_state

I am not shure that it is in _ALL_ host types. Experience gave me that some time I had problem with uninterraptable service up to I configure router to cut off ICMP UNREACHABLE from outside. - Leonid Yegoshin, LY22