This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
BigHec
Contributor
‎2025-01-21 06:09 AM

WIll "ICMP Redirect Packets are not allowed" causing issue?

Hi All,

We have a centrally managed SMB of model 1600 with Firmware Version of R81.10.10 (Build 945)

 

We will focus on 2 segments for this issue, 192.168.24.0/24 & 192.168.25.0/24. 192.168.24.0/24 segment is setup as the WAN interface for the CP1600 and 192.168.25.0/24 is setup as the DMZ interface

We are facing one issue is where on the segment 192.168.25.0/24, we have a list of tools listed below:
192.168.25.191
192.168.25.192 
192.168.25.193 
192.168.25.194
192.168.25.195
192.168.25.210 

We are trying to do a ping and traceroute result from the list of tools from 192.168.25.0/24 to one of the Server in the segment 192.168.24.0/24 where the IP of the Server is 192.168.24.21. All of the tools host have the same network adapter settings where their gateway is pointing to the SMB CP1600.

Screenshot 2025-01-21 215027.png

You will see another Firewall on the left side of the diagram, the Server's gateway for 192.168.24.21 is actually pointing to another Firewall and not the SMB CP1600 but the Server do have a static route pointing back directly to the CP1600 for the segment 192.168.25.0/24 route.

 

We have tested all 5 tools from segment 192.168.25.0/24 listed above to the Server 192.168.24.21 with ping and traceroute result. The result listed as below:
192.168.25.191 - Issue
192.168.25.192 - Issue
192.168.25.193 - Issue
192.168.25.194 - Issue
192.168.25.195 - OK
192.168.25.210 - OK

The Firewall Rules are there for the CP1600 but not sure why for the tools host of .191, .192, .193, .194 unable to ping to the Server 192.168.24.21 while it has not issue for the tools .195 and .210. Traceroute result for tools host of .191, .192, .193, .194 is having asterisk all the way and not even hitting the CP1600 as it is the tool's gateway as the first hop.

I also did tcpdump on the CP1600 when doing the ping from tools host of .191, .192, .193, .194 to the Server 192.168.24.21, no traffic can be seen passing through the CP1600. When we try again with the tools host 195 and .210, it has no issues with that and able to see the ping traffic from the CP1600 tcpdump.

 

On the Management Firewall logs, we saw for the tools host of .191, .192, .193, .194 all have the same firewall logs of "ICMP Redirect Packets are not allowed" while there are no such logs for the tools host .195 and .210.

Screenshot 2025-01-21 220829.png

I am able to ping all the listed tools host from the CP1600 as well, all the ARP Table are showing the correct MAC Address for each of the tools hosts

I am wondering is this firewall logs of ICMP redirect causing the issue where the tools hosts unable to reach the Server? Why is it only showing for 4 of the tools host while another 2 tools host is working fine?

Cheers!

 

 

0 Kudos
1 Reply
PhoneBoy
Admin
Admin
‎2025-01-21 08:21 AM

The reason 192.168.25.252 is generating ICMP Redirects is because the clients in question are routing traffic to it that it is not the next hop for.
When that occurs, an ICMP Redirect is issued, and we do not allow those by default. 
This points to a misconfiguration on the affected clients.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events