How to turn around "ICMPv6 redirect packets are no...

Jerry · ‎2020-07-02

hi chaps 🙂 hope you're doing well and staying safe?

quick question to our guru's - have you got any clue where-to turn on IPv6 redirects globally?

please see enclosed, my Customer is being flooded with log messages like this one and would like to ENABLE IPv6 redirection - where about you'd potentially do that or by which file ?

Annotation 2020-07-02 112308.jpg

ps. below is all you need to know in advance:

This is Check Point CPinfo Build 914000202 for GAIA
[IDA]
No hotfixes..

[MGMT]
HOTFIX_R80_40_JUMBO_HF_MAIN Take: 48

[CPFC]
No hotfixes..

[FW1]
HOTFIX_GOT_TPCONF_MGMT_AUTOUPDATE
HOTFIX_GOT_TPCONF_AUTOUPDATE
HOTFIX_R80_40_JUMBO_HF_MAIN Take: 48

FW1 build number:
This is Check Point Security Management Server R80.40 - Build 019
This is Check Point's software version R80.40 - Build 088
kernel: R80.40 - Build 079

Jerry

Jerry · ‎2020-07-02

aparently that splat inheritance does not work any longer ;.;.;

ip redirect enable
no ip redirect

hence I have no clue where on R80.xx you can turn-on redirects,
do you?

Jerry

Timothy_Hall · ‎2020-07-02

For IPv4 this behavior is controlled by the fw_icmp_redirects kernel variable which is set to 0 by default, see sk112772: ICMP redirects drop

I don't see a special IPv6 kernel variable for this, so setting fw_icmp_redirects to 1 should to the trick for all redirects including IPv6.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones

Jerry · ‎2020-07-03

Thanks Tim, I'll test it and update you due course 🙂

Jerry

Jerry · ‎2020-07-03

Done:

Last login: Fri Jul 3 08:22:07 2020 from .......................::4
[Expert@cp:0]# fw ctl get int fw_icmp_redirects
fw_icmp_redirects = 1

*** It still produces 1000s of log entries with (aparently different error!) like:

"ICMPv6 error does not match an existing connection"

so:

before it was:

"ICMPv6 redirect packets are not allowed"

now it is:

"ICMPv6 error does not match an existing connection"

tell me folks it isn't confusing and strange somehow ...

Jerry

Timothy_Hall · ‎2020-07-03

Is it possible that these ICMP redirects are somehow being sent to a broadcast or multicast address? Use tcpdump -e to check this. If so the firewall would receive the redirects even though they aren't really intended for the firewall and it would have no matching connection. I suppose you could try unchecking the "Drop out of state ICMP" checkbox on the Stateful Inspection screen under Global Properties and see what happens...

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones

Jerry · ‎2020-07-03

"Is it possible that these ICMP redirects are somehow being sent to a broadcast or multicast address?" --- nop, the redirects happens on genuine point-2-point traffic (all IPv6 src/dst based while port remains "redirect6", will try Drop OOS ICMP and let you know. Just going on it and will report back. Concerning ... isn't it 🙂

see enclosed.:

Annotation 2020-07-03 190534.png

Jerry

Jerry · ‎2020-07-03

Annotation 2020-07-03 191520.jpg

this setup did the trick 🙂 thanks Tim! it was a good guess though!

Drops - I don't mind, but 1000s of logs caused by this - no thanks 😛

have a lovely weekend !

Jerry

Are you a member of CheckMates?

How to turn around "ICMPv6 redirect packets are not allowed" messages in the logs ...