Bad Redirect Messages Counter Increments on ProxySG Appliance


Article ID: 168802


Updated On:


ProxySG Software - SGOS


This counter will increment if the ICMPv6 redirect is considered to be bad by the Proxy SG appliance. As a result, theICMPv6 redirect route is not added to the Proxy SG appliance routing table.

A route added as a result of an ICMP6 route has the "d" flag. For example:

2003:200:dff:fff1:216:3eff:feb1:54d7 fe80::8%1:1                   UGHD            1:1


This happens because we are checking  the source IP of the redirect message. If it  is not the current first-hop gateway for the specified destination, then it will be ignored. For example if there is no IPv6 default gateway configured, the ProxySG appliance will ignore the redirect and mark it as bad.
In the redirect example above the source of the ICMPv6 was the default gateway (fe80::6), and the target of the redirect was fe80::8. Hence, it will add the route.
Here is an example configured default gateway:

Destination                    Gateway                        Flags          Netif   Expire
default                           fe80::6%1:1                   UGS            1:1

This appears to be the common cause of an icmpv6 redirected route not being added. It is the same cause with IPv4 ICMP redirects.

Other reasons for a route being marked bad are the source ip is not a local link IP, the hop count is not 255, and a bad checksum.