Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jerry
Leader
Leader

How to turn around "ICMPv6 redirect packets are not allowed" messages in the logs ...

hi chaps 🙂 hope you're doing well and staying safe?

quick question to our guru's - have you got any clue where-to turn on IPv6 redirects globally?

please see enclosed, my Customer is being flooded with log messages like this one and would like to ENABLE IPv6 redirection - where about you'd potentially do that or by which file ?

Annotation 2020-07-02 112308.jpg

ps. below is all you need to know in advance:

This is Check Point CPinfo Build 914000202 for GAIA
[IDA]
No hotfixes..

[MGMT]
HOTFIX_R80_40_JUMBO_HF_MAIN Take: 48

[CPFC]
No hotfixes..

[FW1]
HOTFIX_GOT_TPCONF_MGMT_AUTOUPDATE
HOTFIX_GOT_TPCONF_AUTOUPDATE
HOTFIX_R80_40_JUMBO_HF_MAIN Take: 48

FW1 build number:
This is Check Point Security Management Server R80.40 - Build 019
This is Check Point's software version R80.40 - Build 088
kernel: R80.40 - Build 079

Jerry
0 Kudos
Reply
7 Replies
Jerry
Leader
Leader

aparently that splat inheritance does not work any longer ;.;.;

ip redirect enable
no ip redirect

hence I have no clue where on R80.xx you can turn-on redirects,
do you?
Jerry
0 Kudos
Reply
Timothy_Hall
Champion
Champion

For IPv4 this behavior is controlled by the fw_icmp_redirects kernel variable which is set to 0 by default, see sk112772: ICMP redirects drop

I don't see a special IPv6 kernel variable for this, so setting fw_icmp_redirects to 1 should to the trick for all redirects including IPv6.

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
Jerry
Leader
Leader

Thanks Tim, I'll test it and update you due course 🙂
Jerry
0 Kudos
Reply
Jerry
Leader
Leader

Done:

Last login: Fri Jul 3 08:22:07 2020 from .......................::4
[Expert@cp:0]# fw ctl get int fw_icmp_redirects
fw_icmp_redirects = 1

*** It still produces 1000s of log entries with (aparently different error!) like:

"ICMPv6 error does not match an existing connection"

so:

before it was:

"ICMPv6 redirect packets are not allowed"

now it is:

"ICMPv6 error does not match an existing connection"

tell me folks it isn't confusing and strange somehow ...
Jerry
0 Kudos
Reply
Timothy_Hall
Champion
Champion

Is it possible that these ICMP redirects are somehow being sent to a broadcast or multicast address?  Use tcpdump -e to check this.  If so the firewall would receive the redirects even though they aren't really intended for the firewall and it would have no matching connection.  I suppose you could try unchecking the "Drop out of state ICMP" checkbox on the Stateful Inspection screen under Global Properties and see what happens...

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Reply
Jerry
Leader
Leader

"Is it possible that these ICMP redirects are somehow being sent to a broadcast or multicast address?" --- nop, the redirects happens on genuine point-2-point traffic (all IPv6 src/dst based while port remains "redirect6", will try Drop OOS ICMP and let you know. Just going on it and will report back. Concerning ... isn't it 🙂

see enclosed.:

 

 

Annotation 2020-07-03 190534.png

Jerry
0 Kudos
Reply
Jerry
Leader
Leader

Annotation 2020-07-03 191520.jpg

 

this setup did the trick 🙂 thanks Tim! it was a good guess though!

Drops - I don't mind, but 1000s of logs caused by this - no thanks 😛

 

have a lovely weekend !

Jerry
0 Kudos
Reply