Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jerry
Leader
Leader

How to turn around "ICMPv6 redirect packets are not allowed" messages in the logs ...

hi chaps 🙂 hope you're doing well and staying safe?

quick question to our guru's - have you got any clue where-to turn on IPv6 redirects globally?

please see enclosed, my Customer is being flooded with log messages like this one and would like to ENABLE IPv6 redirection - where about you'd potentially do that or by which file ?

Annotation 2020-07-02 112308.jpg

ps. below is all you need to know in advance:

This is Check Point CPinfo Build 914000202 for GAIA
[IDA]
No hotfixes..

[MGMT]
HOTFIX_R80_40_JUMBO_HF_MAIN Take: 48

[CPFC]
No hotfixes..

[FW1]
HOTFIX_GOT_TPCONF_MGMT_AUTOUPDATE
HOTFIX_GOT_TPCONF_AUTOUPDATE
HOTFIX_R80_40_JUMBO_HF_MAIN Take: 48

FW1 build number:
This is Check Point Security Management Server R80.40 - Build 019
This is Check Point's software version R80.40 - Build 088
kernel: R80.40 - Build 079

Jerry
0 Kudos
7 Replies
Jerry
Leader
Leader

aparently that splat inheritance does not work any longer ;.;.;

ip redirect enable
no ip redirect

hence I have no clue where on R80.xx you can turn-on redirects,
do you?
Jerry
0 Kudos
Timothy_Hall
Champion
Champion

For IPv4 this behavior is controlled by the fw_icmp_redirects kernel variable which is set to 0 by default, see sk112772: ICMP redirects drop

I don't see a special IPv6 kernel variable for this, so setting fw_icmp_redirects to 1 should to the trick for all redirects including IPv6.

Watch My 2023 CPX360 Speech Titled "Max Power
Reloaded: R81+ Gateway Performance Innovations"
Jerry
Leader
Leader

Thanks Tim, I'll test it and update you due course 🙂
Jerry
0 Kudos
Jerry
Leader
Leader

Done:

Last login: Fri Jul 3 08:22:07 2020 from .......................::4
[Expert@cp:0]# fw ctl get int fw_icmp_redirects
fw_icmp_redirects = 1

*** It still produces 1000s of log entries with (aparently different error!) like:

"ICMPv6 error does not match an existing connection"

so:

before it was:

"ICMPv6 redirect packets are not allowed"

now it is:

"ICMPv6 error does not match an existing connection"

tell me folks it isn't confusing and strange somehow ...
Jerry
0 Kudos
Timothy_Hall
Champion
Champion

Is it possible that these ICMP redirects are somehow being sent to a broadcast or multicast address?  Use tcpdump -e to check this.  If so the firewall would receive the redirects even though they aren't really intended for the firewall and it would have no matching connection.  I suppose you could try unchecking the "Drop out of state ICMP" checkbox on the Stateful Inspection screen under Global Properties and see what happens...

Watch My 2023 CPX360 Speech Titled "Max Power
Reloaded: R81+ Gateway Performance Innovations"
0 Kudos
Jerry
Leader
Leader

"Is it possible that these ICMP redirects are somehow being sent to a broadcast or multicast address?" --- nop, the redirects happens on genuine point-2-point traffic (all IPv6 src/dst based while port remains "redirect6", will try Drop OOS ICMP and let you know. Just going on it and will report back. Concerning ... isn't it 🙂

see enclosed.:

 

 

Annotation 2020-07-03 190534.png

Jerry
0 Kudos
Jerry
Leader
Leader

Annotation 2020-07-03 191520.jpg

 

this setup did the trick 🙂 thanks Tim! it was a good guess though!

Drops - I don't mind, but 1000s of logs caused by this - no thanks 😛

 

have a lovely weekend !

Jerry
0 Kudos