ICMP redirect WTF

Started by wintermute000, January 28, 2016, 05:43:03 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

wintermute000

January 28, 2016, 05:43:03 AM
OK here is a super strange scenario I got at home.


My home GW (ISP cable modem/router/wifi all-in-one) started going flaky re: mgt plane. Pings were failing 3/4 times, could not bring up web UI (though occasionally parts of the page would load). However, traffic through the thing seemed fine - zero browsing etc. issues - hence mgt plane issue.
One really weird symptom was that if I had my lab multilayer switch (Cisco SG300) up, I would get ICMP redirects. WTF
Just for laughs I fired up wireshark on my PC and corroborated it - as soon as I start sending IP packets destined for 192.168.0.1 (ISP router LAN/default GW), the multilayer switch on 192.168.0.5 would start sending a torrent of ICMP redirects directly back to my NIC.


This does not make sense. Assuming we're not talking about an attack, ICMP redirects are sent by a router back to the host when its best route is via the interface its receiving the packet on.
At no stage were any packets directed at the multilayer switch IP of 192.168.0.5 or its MAC address for that matter.
Now these redirects were NOT causing the initial problem as I could not get onto the ISP router even with the lab switch off. but what the heck is this behaviour?
I couldn't even find any setting in the multilayer switch to turn off or on ICMP redirect.


I confirmed ARP, MAC address caches etc. all fine, and the fix was simply to reboot the ISP router (duh).
And now that I've rebooted the ISP router and its responding normally to Web UI and pings.... the ICMP redirect behaviour has stopped.


I can't think of any explanation other than the ISP router 'rewriting' the MAC address for any packets destined to its IP to the MAC address of the multilayer switch.

Reggle

#1
January 28, 2016, 06:50:16 AM
I come to a somewhat similar conclusion. I don't know the exact topology but if it happens again, I wonder if you could do a SPAN session between the SG300 and the router.

deanwebb

#2
January 28, 2016, 08:45:22 AM
:itcrowd:

Just curious, how much labbing have you done with the SG300? Anything that might cause it to do crazy stuff?
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

sergeyrar

#3
February 23, 2016, 01:54:24 AM
I wouldn't be surprised if it's a bug.
I used to test SG300 switches... real piece of crap :D


(p.s - sorry my bad)
Print
Go Up Pages1
User actions