How to turn around "ICMPv6 redirect packets are no...

Jerry · ‎2020-07-02

hi chaps 🙂 hope you're doing well and staying safe?

quick question to our guru's - have you got any clue where-to turn on IPv6 redirects globally?

please see enclosed, my Customer is being flooded with log messages like this one and would like to ENABLE IPv6 redirection - where about you'd potentially do that or by which file ?

ps. below is all you need to know in advance:

This is Check Point CPinfo Build 914000202 for GAIA
[IDA]
No hotfixes..

[MGMT]
HOTFIX_R80_40_JUMBO_HF_MAIN Take: 48

[CPFC]
No hotfixes..

[FW1]
HOTFIX_GOT_TPCONF_MGMT_AUTOUPDATE
HOTFIX_GOT_TPCONF_AUTOUPDATE
HOTFIX_R80_40_JUMBO_HF_MAIN Take: 48

FW1 build number:
This is Check Point Security Management Server R80.40 - Build 019
This is Check Point's software version R80.40 - Build 088
kernel: R80.40 - Build 079

Jerry

Jerry · ‎2020-07-02

aparently that splat inheritance does not work any longer ;.;.;

ip redirect enable
no ip redirect

hence I have no clue where on R80.xx you can turn-on redirects,
do you?

Jerry

Timothy_Hall · ‎2020-07-02

For IPv4 this behavior is controlled by the fw_icmp_redirects kernel variable which is set to 0 by default, see sk112772: ICMP redirects drop

I don't see a special IPv6 kernel variable for this, so setting fw_icmp_redirects to 1 should to the trick for all redirects including IPv6.

Attend my 60-minute "Be your Own TAC: Part Deux" Presentation
Exclusively at CPX 2025 Las Vegas Tuesday Feb 25th @ 1:00pm

Jerry · ‎2020-07-03

Thanks Tim, I'll test it and update you due course 🙂

Jerry

Jerry · ‎2020-07-03

Done:

Last login: Fri Jul 3 08:22:07 2020 from .......................::4
[Expert@cp:0]# fw ctl get int fw_icmp_redirects
fw_icmp_redirects = 1

*** It still produces 1000s of log entries with (aparently different error!) like:

"ICMPv6 error does not match an existing connection"

so:

before it was:

"ICMPv6 redirect packets are not allowed"

now it is:

"ICMPv6 error does not match an existing connection"

tell me folks it isn't confusing and strange somehow ...

Jerry

Timothy_Hall · ‎2020-07-03

Is it possible that these ICMP redirects are somehow being sent to a broadcast or multicast address? Use tcpdump -e to check this. If so the firewall would receive the redirects even though they aren't really intended for the firewall and it would have no matching connection. I suppose you could try unchecking the "Drop out of state ICMP" checkbox on the Stateful Inspection screen under Global Properties and see what happens...

Attend my 60-minute "Be your Own TAC: Part Deux" Presentation
Exclusively at CPX 2025 Las Vegas Tuesday Feb 25th @ 1:00pm

Jerry · ‎2020-07-03

"Is it possible that these ICMP redirects are somehow being sent to a broadcast or multicast address?" --- nop, the redirects happens on genuine point-2-point traffic (all IPv6 src/dst based while port remains "redirect6", will try Drop OOS ICMP and let you know. Just going on it and will report back. Concerning ... isn't it 🙂

see enclosed.:

Jerry

Jerry · ‎2020-07-03

this setup did the trick 🙂 thanks Tim! it was a good guess though!

Drops - I don't mind, but 1000s of logs caused by this - no thanks 😛

have a lovely weekend !

Jerry

Are you a member of CheckMates?

How to turn around "ICMPv6 redirect packets are not allowed" messages in the logs ...