Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
521
Views
0
Helpful
4
Replies

ICMP redirects being reported by our ISP

plagus666
Level 1
Level 1

‎03-24-2016 03:22 AM - edited ‎03-08-2019 05:06 AM

Hello everyone,

Our ISP, which happens to be our co-location host, is reporting that they are seeing ICMP redirects from the kit in our cabinet.  I attach a basic overview of our equipment along with its IP address configuration (not the actual addresses naturally, but the subnets and addressing schemes etc are shown accurately).

Because of specific requirements we have site to site IPSec VPNs configured between:

Router 1 & Router 2
Router 1 & Router 3
Router 1 & Router 4

Each of the routers (all are Cisco IOS 800 series with Router 1 a 1800 series) is cabled back to a Catalyst 2960 switch as shown.  We have 1 cable from this switch to our ISP.  The default routes on each router are set to 95.80.68.129. 

I believe the ISP is seeing the ICMP redirects because requests are coming into and then out of the same interface on their kit for the comms between our routers.  

So my question is.... how can I keep everything internal to my network rather than then seeing these redirects?  As previously mentioned, the switch in the attached diagram is a Catalyst 2960 - I am wondering if i can configure this to "direct" traffic between its own ports rather than having the routers go out to .129 and back in again?

Thanks in advance!

Labels:
Preview file
129 KB
0 Helpful
4 Replies 4

Madhukrishnan Gopinathan Nair
Level 7
Level 7

‎03-24-2016 08:32 AM

Hi,

Seeing this icmp redirect is a concern for you or your ISP?  I think if routers tries to communicate each other in this design, the ISP router will inform it to redirect using ICMP. If this is an overhead for the router at  ISP, they can disable icmp redirect.

Madhu.

0 Helpful

Paul Chapman
Level 4
Level 4

‎03-24-2016 08:42 AM

Hi P-

Based on the diagram, you have the wrong subnet masks plugged into all of your routers.  They should all be 255.255.255.128 (/25).  Your ISP is getting ICMP redirects because your subnet configuration is wrong.

PSC

0 Helpful

plagus666
Level 1
Level 1
In response to Paul Chapman

‎03-24-2016 09:04 AM

Hi Paul

Each router represents an isolated customer environment which they connect to over a site to site VPN - so I don't think we could have the subnets overlapping in that way....

0 Helpful

Paul Chapman
Level 4
Level 4
In response to plagus666

‎03-24-2016 10:37 AM

Hi P -

The problem is that the ISP has given you 1 subnet to work with.  You don't show a /30 handoff to your front-end switch, so I can only assume that you have 1 front-end VLAN for all of this communication.

If R2 has an IP of 95.80.68.169 with a mask of 255.255.255.240, then there's no way for him to get out of the local subnet (95.80.68.160) except by another router IP in the same subnet. 

What's happening is that you are "routing by accident".  When going downstream from the ISP, they are using a /25 mask and can see all the routers in the range.  When going upstream, the default route (0.0.0.0) points to an IP that's not on the same subnet.  The router will give up and try to send the traffic to the broadcast MAC (FF:FF:FF:FF:FF:FF) and hope that some upstream router responds.

This is why the ISP is sending ICMP redirects back to your routers and complaining to you.

PSC

0 Helpful
Customers Also Viewed These Support Documents