topic Re: How to turn around "ICMPv6 redirect packets are not allowed" messages in the logs ... in General Topics

How to turn around "ICMPv6 redirect packets are not allowed" messages in the logs ...

Jerry — Thu, 02 Jul 2020 10:29:26 GMT

hi chaps 🙂 hope you're doing well and staying safe?

quick question to our guru's - have you got any clue where-to turn on IPv6 redirects globally?

please see enclosed, my Customer is being flooded with log messages like this one and would like to ENABLE IPv6 redirection - where about you'd potentially do that or by which file ?

ps. below is all you need to know in advance:

This is Check Point CPinfo Build 914000202 for GAIA
[IDA]
No hotfixes..

[MGMT]
HOTFIX_R80_40_JUMBO_HF_MAIN Take: 48

[CPFC]
No hotfixes..

[FW1]
HOTFIX_GOT_TPCONF_MGMT_AUTOUPDATE
HOTFIX_GOT_TPCONF_AUTOUPDATE
HOTFIX_R80_40_JUMBO_HF_MAIN Take: 48

FW1 build number:
This is Check Point Security Management Server R80.40 - Build 019
This is Check Point's software version R80.40 - Build 088
kernel: R80.40 - Build 079

Re: How to turn around "ICMPv6 redirect packets are not allowed" messages in the logs ...

Jerry — Thu, 02 Jul 2020 10:31:45 GMT

aparently that splat inheritance does not work any longer ;.;.;

ip redirect enable
no ip redirect

hence I have no clue where on R80.xx you can turn-on redirects,
do you?

Re: How to turn around "ICMPv6 redirect packets are not allowed" messages in the logs ...

Timothy_Hall — Thu, 02 Jul 2020 16:56:08 GMT

For IPv4 this behavior is controlled by the fw_icmp_redirects kernel variable which is set to 0 by default, see sk112772: ICMP redirects drop

I don't see a special IPv6 kernel variable for this, so setting fw_icmp_redirects to 1 should to the trick for all redirects including IPv6.

Re: How to turn around "ICMPv6 redirect packets are not allowed" messages in the logs ...

Jerry — Fri, 03 Jul 2020 07:21:40 GMT

Thanks Tim, I'll test it and update you due course 🙂

Re: How to turn around "ICMPv6 redirect packets are not allowed" messages in the logs ...

Jerry — Fri, 03 Jul 2020 07:33:51 GMT

Done:

Last login: Fri Jul 3 08:22:07 2020 from .......................::4
[Expert@cp:0]# fw ctl get int fw_icmp_redirects
fw_icmp_redirects = 1

*** It still produces 1000s of log entries with (aparently different error!) like:

"ICMPv6 error does not match an existing connection"

so:

before it was:

"ICMPv6 redirect packets are not allowed"

now it is:

"ICMPv6 error does not match an existing connection"

tell me folks it isn't confusing and strange somehow ...

Re: How to turn around "ICMPv6 redirect packets are not allowed" messages in the logs ...

Timothy_Hall — Fri, 03 Jul 2020 13:56:37 GMT

Is it possible that these ICMP redirects are somehow being sent to a broadcast or multicast address? Use tcpdump -e to check this. If so the firewall would receive the redirects even though they aren't really intended for the firewall and it would have no matching connection. I suppose you could try unchecking the "Drop out of state ICMP" checkbox on the Stateful Inspection screen under Global Properties and see what happens...

Re: How to turn around "ICMPv6 redirect packets are not allowed" messages in the logs ...

Jerry — Fri, 03 Jul 2020 18:08:08 GMT

"Is it possible that these ICMP redirects are somehow being sent to a broadcast or multicast address?" --- nop, the redirects happens on genuine point-2-point traffic (all IPv6 src/dst based while port remains "redirect6", will try Drop OOS ICMP and let you know. Just going on it and will report back. Concerning ... isn't it 🙂

see enclosed.:

Re: How to turn around "ICMPv6 redirect packets are not allowed" messages in the logs ...

Jerry — Fri, 03 Jul 2020 18:16:40 GMT

this setup did the trick 🙂 thanks Tim! it was a good guess though!

Drops - I don't mind, but 1000s of logs caused by this - no thanks 😛

have a lovely weekend !