Static Route Issue : ICMP redirect packets are not sent for ongoing sessions
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
There is an issue where the session is disconnected when connecting via Static Route.
I haven't had the problem with another router, so could you please investigate the X50?
I have configured the following NW at home.
NW1:192.168.250.0/24
Gateway 192.168.250.1(Deco X50)
VPN Router 192.168.250.250(YamahaRTX)
VPN Router 192.168.250.252(Fortigate)
PC1-1 192.168.250.145(CentOS:Wired)
PC1-2 192.168.250.132(Windows10:Wi-Fi)
NW2:192.168.0.0/24(via VPNRouter(YamahaRTX))
PC2-1 192.168.0.211(Windows)
PC2-2 192.168.0.250(VPNRouter)
I registered the following as a Static Route on X50.
Address:192.168.0.0
Subnet Mask:255.255.255.0
Gateway:192.168.250.250
Interface:LAN
I can Ping, RDP, and TELNET from NW1's PC (1-1,1-2) to NW2's PC (2-1,2-2), but the following situation occurs.
PC1-1:Session disconnects after about 5 minutes
PC1-2:Session disconnects after about 1 minute
When I checked the packet capture, an ICMP Redirect is sent for SYN packets, but no ICMP Redirect is sent for Push+ACK while the session is ongoing.
It seems that the cache route on the PC side is not updated and the session is disconnected because the ICMP Redirect Packet is not sent.
When I set another router (Fortigate) as the default gateway and added the following static route settings to Fortigate,
I confirmed that an ICMP Redirect is sent for both SYN and Push+ACK, and the session can continue.
<Fortigate Static Route>
Destination:192.168.0.0/24
Gateway IP:192.168.250.250
Thank you for your consideration.
----Packet Captures, Route Information----
<Default Gateway:Deco X50>
[root@zr2 ~]# ip r get 192.168.0.250
192.168.0.250 via 192.168.250.1 dev ens32 src 192.168.250.145
cache
<Packet capture when connecting a new session(TELNET from PC1-1 to PC2-2)>
[root@zr2 ~]# tcpdump -n -i any tcp port 23 or icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
09:07:06.719877 IP 192.168.250.145.36806 > 192.168.0.250.telnet: Flags [S], seq 1613602046, win 29200, options [mss 1460,sackOK,TS val 56699875 ecr 0,nop,wscale 7], length 0
09:07:06.720658 IP 192.168.250.1 > 192.168.250.145: ICMP redirect 192.168.0.250 to host 192.168.250.250, length 68
09:07:06.736833 IP 192.168.0.250.telnet > 192.168.250.145.36808: Flags [S.], seq 4149378034, ack 1613602047, win 65535, options [mss 1320,nop,wscale 1,nop,nop,TS val 590819087 ecr 56699875], length 0
09:07:06.736894 IP 192.168.250.145.36806 > 192.168.0.250.telnet: Flags [.], ack 1, win 229, options [nop,nop,TS val 56699892 ecr 590819087], length 0
09:07:06.737095 IP 192.168.250.145.36806 > 192.168.0.250.telnet: Flags [P.], seq 1:25, ack 1, win 229, options [nop,nop,TS val 56699892 ecr 590819087], length 24 [telnet DO SUPPRESS GO AHEAD, WILL TERMINAL TYPE, WILL NAWS, WILL TSPEED, WILL LFLOW, WILL LINEMODE, WILL NEW-ENVIRON, DO STATUS [|telnet]
09:07:06.752937 IP 192.168.0.250.telnet > 192.168.250.145.36806: Flags [P.], seq 1:16, ack 1, win 32768, options [nop,nop,TS val 590819089 ecr 56699892], length 15 [telnet WILL SUPPRESS GO AHEAD, DO ECHO, DO NAWS, WILL STATUS, DO LFLOW [|telnet]
09:07:06.753014 IP 192.168.250.145.36806 > 192.168.0.250.telnet: Flags [.], ack 16, win 229, options [nop,nop,TS val 56699908 ecr 590819089], length 0
09:07:06.765951 IP 192.168.0.250.telnet > 192.168.250.145.36806: Flags [P.], seq 16:28, ack 25, win 32768, options [nop,nop,TS val 590819090 ecr 56699892], length 12 [telnet DO TERMINAL TYPE, DO TSPEED, DONT LINEMODE, DONT NEW-ENVIRON [|telnet]
09:07:06.765996 IP 192.168.250.145.36806 > 192.168.0.250.telnet: Flags [P.], seq 25:37, ack 28, win 229, options [nop,nop,TS val 56699921 ecr 590819090], length 12 [telnet WONT ECHO, SB NAWS IS 0x8a 0 0x24 SE [|telnet]
09:07:06.782536 IP 192.168.0.250.telnet > 192.168.250.145.36808: Flags [P.], seq 28:43, ack 37, win 32768, options [nop,nop,TS val 590819092 ecr 56699921], length 15 [telnet WILL ECHO]
09:07:06.782775 IP 192.168.250.145.36806 > 192.168.0.250.telnet: Flags [P.], seq 37:40, ack 43, win 229, options [nop,nop,TS val 56699938 ecr 590819092], length 3 [telnet DO ECHO [|telnet]
09:07:06.898820 IP 192.168.0.250.telnet > 192.168.250.145.36806: Flags [.], ack 40, win 32768, options [nop,nop,TS val 590819104 ecr 56699938], length 0
09:07:19.198243 IP 192.168.250.145.36806 > 192.168.0.250.telnet: Flags [P.], seq 40:41, ack 43, win 229, options [nop,nop,TS val 56712353 ecr 590819104], length 1
09:07:19.302010 IP 192.168.0.250.telnet > 192.168.250.145.36806: Flags [.], ack 41, win 32768, options [nop,nop,TS val 590820344 ecr 56712353], length 0
<Route information,Cache information>
[root@zr2 ~]# ip r get 192.168.0.250
192.168.0.250 via 192.168.250.250 dev ens32 src 192.168.250.145
cache <redirected> expires 268sec
<Packet capture after cache runs out>
[root@zr2 ~]# ip r get 192.168.0.250
192.168.0.250 via 192.168.250.1 dev ens32 src 192.168.250.145
cache
09:12:17.924759 IP 192.168.250.145.36806 > 192.168.0.250.telnet: Flags [.], ack 13, win 1424, options [nop,nop,TS val 56351080 ecr 590784214], length 0
09:12:17.935736 IP 192.168.0.250.telnet > 192.168.250.145.36806: Flags [P.], seq 13:16, ack 6, win 32768, options [nop,nop,TS val 590784215 ecr 56351080], length 3
09:12:17.935753 IP 192.168.250.145.36806 > 192.168.0.250.telnet: Flags [.], ack 16, win 1424, options [nop,nop,TS val 56351091 ecr 590784215], length 0
09:12:23.173827 IP 192.168.250.145.36806 > 192.168.0.250.telnet: Flags [P.], seq 6:8, ack 16, win 1424, options [nop,nop,TS val 56356329 ecr 590784215], length 2
//ICMP Redirect Packet cannot be received. No response returned
09:12:23.398800 IP 192.168.250.145.36806 > 192.168.0.250.telnet: Flags [P.], seq 6:8, ack 16, win 1424, options [nop,nop,TS val 56356554 ecr 590784215], length 2
09:12:23.850076 IP 192.168.250.145.36806 > 192.168.0.250.telnet: Flags [P.], seq 6:8, ack 16, win 1424, options [nop,nop,TS val 56357005 ecr 590784215], length 2
09:12:24.753348 IP 192.168.250.145.36806 > 192.168.0.250.telnet: Flags [P.], seq 6:8, ack 16, win 1424, options [nop,nop,TS val 56357909 ecr 590784215], length 2
09:12:26.557827 IP 192.168.250.145.36806 > 192.168.0.250.telnet: Flags [P.], seq 6:8, ack 16, win 1424, options [nop,nop,TS val 56359713 ecr 590784215], length 2
09:12:30.164514 IP 192.168.250.145.36806 > 192.168.0.250.telnet: Flags [P.], seq 6:8, ack 16, win 1424, options [nop,nop,TS val 56363320 ecr 590784215], length 2
<If you execute Ping in this state, you can receive ICMP Redirect.>
09:12:34.199538 IP 192.168.250.145 > 192.168.0.250: ICMP echo request, id 4103, seq 1, length 64
09:12:34.200321 IP 192.168.250.1 > 192.168.250.145: ICMP redirect 192.168.0.250 to host 192.168.250.250, length 92
09:12:34.214247 IP 192.168.0.250 > 192.168.250.145: ICMP echo reply, id 4103, seq 1, length 64
09:12:35.201076 IP 192.168.250.145 > 192.168.0.250: ICMP echo request, id 4103, seq 2, length 64
09:12:35.213833 IP 192.168.0.250 > 192.168.250.145: ICMP echo reply, id 4103, seq 2, length 64
09:12:36.202980 IP 192.168.250.145 > 192.168.0.250: ICMP echo request, id 4103, seq 3, length 64
09:12:36.214576 IP 192.168.0.250 > 192.168.250.145: ICMP echo reply, id 4103, seq 3, length 64
09:12:37.372643 IP 192.168.250.145.36806 > 192.168.0.250.telnet: Flags [P.], seq 6:8, ack 16, win 1424, options [nop,nop,TS val 56370528 ecr 590784215], length 2
09:12:37.385601 IP 192.168.0.250.telnet > 192.168.250.145.36806: Flags [P.], seq 16:18, ack 8, win 32768, options [nop,nop,TS val 590786159 ecr 56370528], length 2
//Session continued
09:12:37.385655 IP 192.168.250.145.36806 > 192.168.0.250.telnet: Flags [P.], seq 8:18, ack 18, win 1424, options [nop,nop,TS val 56370541 ecr 590786159], length 10
09:12:37.397263 IP 192.168.0.250.telnet > 192.168.250.145.36806: Flags [P.], seq 18:21, ack 18, win 32763, options [nop,nop,TS val 590786161 ecr 56370541], length 3
09:12:37.436619 IP 192.168.250.145.36806 > 192.168.0.250.telnet: Flags [.], ack 21, win 1424, options [nop,nop,TS val 56370592 ecr 590786161], length 0
09:12:37.448461 IP 192.168.0.250.telnet > 192.168.250.145.36806: Flags [P.], seq 21:42, ack 18, win 32768, options [nop,nop,TS val 590786166 ecr 56370592], length 21
09:12:37.448491 IP 192.168.250.145.36806 > 192.168.0.250.telnet: Flags [.], ack 42, win 1424, options [nop,nop,TS val 56370604 ecr 590786166], length 0
<Default Gateway:Fortigate>
[root@zr2 ~]# ip r get 192.168.0.250
192.168.0.250 via 192.168.250.252 dev ens32 src 192.168.250.145
cache
<Packet capture when connecting a new session(TELNET from PC1-1 to PC2-2)>
[root@zr2 ~]# tcpdump -n -i any tcp port 23 or icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
09:14:55.248482 IP 192.168.250.145.36810 > 192.168.0.250.telnet: Flags [S], seq 3602106242, win 29200, options [mss 1460,sackOK,TS val 57168403 ecr 0,nop,wscale 7], length 0
09:14:55.250314 IP 192.168.250.252 > 192.168.250.145: ICMP redirect 192.168.0.250 to host 192.168.250.250, length 68
09:14:55.265280 IP 192.168.0.250.telnet > 192.168.250.145.36810: Flags [S.], seq 3476302559, ack 3602106243, win 65535, options [mss 1320,nop,wscale 1,nop,nop,TS val 590865930 ecr 57168403], length 0
09:14:55.265322 IP 192.168.250.145.36810 > 192.168.0.250.telnet: Flags [.], ack 1, win 229, options [nop,nop,TS val 57168421 ecr 590865930], length 0
09:14:55.265426 IP 192.168.250.145.36810 > 192.168.0.250.telnet: Flags [P.], seq 1:25, ack 1, win 229, options [nop,nop,TS val 57168421 ecr 590865930], length 24 [telnet DO SUPPRESS GO AHEAD, WILL TERMINAL TYPE, WILL NAWS, WILL TSPEED, WILL LFLOW, WILL LINEMODE, WILL NEW-ENVIRON, DO STATUS [|telnet]
09:14:55.280743 IP 192.168.0.250.telnet > 192.168.250.145.36810: Flags [P.], seq 1:16, ack 1, win 32768, options [nop,nop,TS val 590865931 ecr 57168421], length 15 [telnet WILL SUPPRESS GO AHEAD, DO ECHO, DO NAWS, WILL STATUS, DO LFLOW [|telnet]
09:14:55.280772 IP 192.168.250.145.36810 > 192.168.0.250.telnet: Flags [.], ack 16, win 229, options [nop,nop,TS val 57168436 ecr 590865931], length 0
09:14:55.293554 IP 192.168.0.250.telnet > 192.168.250.145.36810: Flags [P.], seq 16:28, ack 25, win 32768, options [nop,nop,TS val 590865933 ecr 57168421], length 12 [telnet DO TERMINAL TYPE, DO TSPEED, DONT LINEMODE, DONT NEW-ENVIRON [|telnet]
09:14:55.293580 IP 192.168.250.145.36810 > 192.168.0.250.telnet: Flags [P.], seq 25:37, ack 28, win 229, options [nop,nop,TS val 57168449 ecr 590865933], length 12 [telnet WONT ECHO, SB NAWS IS 0x8a 0 0x24 SE [|telnet]
09:14:55.308162 IP 192.168.0.250.telnet > 192.168.250.145.36810: Flags [P.], seq 28:33, ack 37, win 32768, options [nop,nop,TS val 590865934 ecr 57168449], length 5 [telnet WILL ECHO]
09:14:55.308272 IP 192.168.250.145.36810 > 192.168.0.250.telnet: Flags [P.], seq 37:40, ack 33, win 229, options [nop,nop,TS val 57168463 ecr 590865934], length 3 [telnet DO ECHO [|telnet]
09:14:55.323940 IP 192.168.0.250.telnet > 192.168.250.145.36810: Flags [P.], seq 33:44, ack 40, win 32766, options [nop,nop,TS val 590865936 ecr 57168463], length 11
09:14:55.366577 IP 192.168.250.145.36810 > 192.168.0.250.telnet: Flags [.], ack 44, win 229, options [nop,nop,TS val 57168522 ecr 590865936], length 0
09:15:03.102830 IP 192.168.250.145.36810 > 192.168.0.250.telnet: Flags [P.], seq 40:42, ack 44, win 229, options [nop,nop,TS val 57176258 ecr 590865936], length 2
09:15:03.119399 IP 192.168.0.250.telnet > 192.168.250.145.36810: Flags [P.], seq 44:46, ack 42, win 32768, options [nop,nop,TS val 590866715 ecr 57176258], length 2
09:15:03.119446 IP 192.168.250.145.36810 > 192.168.0.250.telnet: Flags [.], ack 46, win 229, options [nop,nop,TS val 57176275 ecr 590866715], length 0
09:15:03.134414 IP 192.168.0.250.telnet > 192.168.250.145.36810: Flags [P.], seq 46:107, ack 42, win 32768, options [nop,nop,TS val 590866717 ecr 57176275], length 61
<Route information,Cache information>
[root@zr2 ~]# ip r get 192.168.0.250
192.168.0.250 via 192.168.250.250 dev ens32 src 192.168.250.145
cache <redirected> expires 268sec
<Packet capture after cache runs out>
[root@zr2 ~]# ip r get 192.168.0.250
192.168.0.250 via 192.168.250.250 dev ens32 src 192.168.250.145
cache <redirected> expires 4sec
[root@zr2 ~]# ip r get 192.168.0.250
192.168.0.250 via 192.168.250.252 dev ens32 src 192.168.250.145
cache
09:20:11.400436 IP 192.168.250.145.36812 > 192.168.0.250.telnet: Flags [P.], seq 166:168, ack 24553, win 807, options [nop,nop,TS val 57484555 ecr 590894808], length 2
09:20:11.401496 IP 192.168.250.252 > 192.168.250.145: ICMP redirect 192.168.0.250 to host 192.168.250.250, length 62
09:20:11.414284 IP 192.168.0.250.telnet > 192.168.250.145.36812: Flags [P.], seq 24553:24555, ack 168, win 32768, options [nop,nop,TS val 590897538 ecr 57484555], length 2
09:20:11.414310 IP 192.168.250.145.36812 > 192.168.0.250.telnet: Flags [.], ack 24555, win 807, options [nop,nop,TS val 57484570 ecr 590897538], length 0
09:20:11.425839 IP 192.168.0.250.telnet > 192.168.250.145.36812: Flags [P.], seq 24555:24558, ack 168, win 32768, options [nop,nop,TS val 590897539 ecr 57484570], length 3
09:20:11.425880 IP 192.168.250.145.36812 > 192.168.0.250.telnet: Flags [.], ack 24558, win 807, options [nop,nop,TS val 57484581 ecr 590897539], length 0
