ICMP redirects - new nexthop is a byte-reversed IP of gateway

kingtrw · ‎12-18-2024

I'm seeing behaviour on a legacy stack that I am struggling to understand, and am hoping someone can help explain what is occuring. Please forgive me if I get some details a bit wrong as I am not an expert in this area!

I am using a public IP range. My gateway for this range is on a Cat3850 and I'll call A1.A2.A3.A4. The gateway of last resort configured on the 3850 is on a fortinet firewall and I'll call B1.B2.B3.B4

I'm running a ping to a RFC1918 address that I route to via a VPN tunnel on the firewall. It responds as I expect, but occasionally there are entries that say

From <gateway DNS> (A1.A2.A3.A4) icmp_seq=XX Redirect Network(new nexthop: B1.B2.B3.B4.some.server.in.japan (B4.B3.B2.B1)

So as far as I can tell, my cat3850 gateway is randomly sending a network redirect packet, specifying an IP address that is a byte-reversed (or inverted / mirrored) version of the its gateway of last resort.

I'm really confused by this, as is everyone I've asked about it. If there's anyone here who can offer any suggestions, I'd be really grateful!

many thanks!

MHM Cisco World · ‎12-18-2024

The traffic to DNS is redirect into VPN'

To solve this issue add route for DNS toward your ISP wiht low AD instead of making traffic direct to VPN.

MHM

kingtrw · ‎12-18-2024

Sorry, I'm not sure I understand!

The majority of pings work as expected eg

64 bytes from some.internal.host (10.142.4.1): icmp_seq=1 ttl=126 time=0.904 ms

but occasionally (around 1 in 80) the response is redirect network

What I want to work out is why the 3850 is advertising a nexthop of B4.B3.B2.B1 - which is an address on the other side of the world. The address B1.B2.B3.B4 would be the correct option - but somehow the 3850 is flipping it.

MHM Cisco World · ‎12-18-2024

Icmp redirect use next-hop not local connect IP. If that what you ask for.

But the real Q why SW use redirect in first place.

Dns can use different path then SW see that via VPN is best path and send redirect.

MHM

kingtrw · ‎12-20-2024

I'm really sorry, I still don't understand.

I've read https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/nx-os-software/213841-understanding-icmp-redirect-messages.html and I can't see anything relevant.

The routing table on the switch seems to be correct - so the question is entirely is the switch providing a nexthop value that is a byte-reversed version of its gateway? If the nexthop value was B1.B2.B3.B4 that would make sense entirely - but B4.B3.B2.B1 seems totally inexplicable.