Re: [leaf-user] Ingnore redirects

Charles Steinkuehler Wed, 18 Dec 2002 07:49:49 -0800

Sergio Morilla wrote:

Hi,


I have these messages in my logs.

Dec 17 06:45:33 tptrtr kernel: host 1801a8c0/if8 ignores redirects for c803a8c0 to fe01a8c0.
Dec 17 07:02:05 tptrtr kernel: host 1801a8c0/if8 ignores redirects for c803a8c0 to fe01a8c0.
Dec 17 07:18:38 tptrtr kernel: host 1801a8c0/if8 ignores redirects for c803a8c0 to fe01a8c0.
Dec 17 07:35:10 tptrtr kernel: host 1801a8c0/if8 ignores redirects for c803a8c0 to fe01a8c0.
Dec 17 07:51:19 tptrtr kernel: host 1801a8c0/if8 ignores redirects for c803a8c0 to fe01a8c0.

1801a8c0	192.168.1.24	A W2K Server PDC running RAS
c803a8c0	192.168.3.200	A W2K Server BDC running Exchange
fe01a8c0	192.168.1.254	A Vanguard Router between 192.168.1.x and 192.168.3.x

I can't understand what are this messages meaning!!

The windows server: 1801a8c0 (192.168.1.24)

is sending packets for: c803a8c0 (192.168.3.200)

to your firewall instead of: fe01a8c0 (192.168.1.254)

Your firewall then sends an ICMP redirect message to 192.168.1.24, telling it there is a better route to the 192.168.3.200 machine, but your PDC/RAS server is not listening.

This error is a result of incorrect routing tables on your windows PDC. All systems on the 192.168.1.x network that need to talk to the 192.168.3.x network should have a static route pointing to the Vanguard router. Add a static route to your PDC, and these errors will go away.

NOTE: You could also enable ICMP redirects on the PDC, allowing the routing table to be built dynamically, but this approach has a negative impact on your overall security (it becomes possible to confuse your PDC by spoofing ICMP redirect messages, creating the potential for a DoS or traffic sniffing attack).

You may be able to assign static routes via DHCP, if the OS dhcp client supports this feature (I've done this on linux, but haven't tried it with windows). This could be handy if you have a lot of systems that need to talk across the Vanguard. If it's just the PDC (or maybe 2-3 machines), it's probably easier to just add a static route in each systems network configuration.

--
Charles Steinkuehler
[EMAIL PROTECTED]

-------------------------------------------------------
This sf.net email is sponsored by:
With Great Power, Comes Great Responsibility Learn to use your power at OSDN's High Performance Computing Channel
http://hpc.devchannel.org/
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Ingnore redirects

Reply via email to