Icmp redirect issue

hi guys:
We have firewall that connect to the internet.We also have a 6509 switch connect to the internal lan. The client PC,6509 interface and firewall are on the same subnet. Client's gateway is on 6509. When client try to access internet, the 6509 switch should send icmp redirect to client telling them to go to firewall for internet access. However,I've found that some client were not receiving icmp redirect,therefore internet traffic send to 6509 then to fireawll.From the 6509 debug we saw it sending icmp redirect once or twice per second.Is this a security feature to prevent msfc from DOS attack?If so is there any way yo override it?Thanks for help.
regards

do you just have the pix and pc connected to the same subnet and have the pc default gateway point to the MSFC and have the MSFC default gateway point to the pix??
this would allow for the pc to get to the internet and the icmp redirect sent to the pc to inform it of the better route.
how is your icmp redirect configured? can you post configuration of switch/msfc?
do you have 'no ip redirects' command configured on the MSFC SVI for the pc vlan? if so, use the 'ip redirects' command on the MSFC SVI (vlan) that the pc connects to.
this will allow the MSFC SVI to be able to send icmp redirects.
please see the following link for more info on icmp redirects:
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094702.shtml

Similar Messages

  • Icmp redirects best practice

    Is there a best practice for enabling or disabling icmp redirects?  Looks like I have redirects enabled and that caused a problem for a host server the other night.  A line went down, the 6500 sent a redirect that was not really a valid route and when the line came up, the host still cached the redirected route, causing a problem.  Are there any pro's and con's, although I'm leaning towards disabling redirects?
    as always, thanks for your ideas.

    Disclaimer
    The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
    Liability Disclaimer
    In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
    Posting
    Redirects are about efficiency; avoiding the need to transit an extra device.  If that's not a concern, turn if off.
    (Of course there's the issue why the 6500 sent an invalid route redirect.)

  • Guest Anchor - Web Passthrough - Apple device web redirect issue

    Hi All,
    I've setup a Guest Mobility Anchor at DMZ with 5508 WLC. I've setup the EoIP mobility tunnel and everything works so far.
    Now, I was testing multiple clients to connect to the Guest SSID and observed that Apple devices are not redirecting url, resulting unsuccessful connection.
    I looked Cisco docs and added the command "config network web-auth captive-bypass enable" on the Anchor as recommended.
    Even after executing the command, I'm still facing web redirect issue with Apple Devices. I don't have any issues with other devices, except Apple.
    My controller running code AirOS 7.6.130.0. I'm using DMZ controller as DHCP server for Guests and public DNS servers as 8.8.8.8 & 8.8.4.4
    How to solve this web redirect issue? Will a Third-party generated CSR solves the problem?
    Thanks,
    CJ

    Hi All,
    The issue was with WISPr Protocol with iOS Clients. After upgrading the AirOS Code on the controller to 8.0.100.0; the issue with Web Redirect is resolved.
    Jagan

  • Does icmp redirect work with policy based route

    Setup:
    R1 and R2 on same ip net.
    On R1 policy based route is configured with R2 as next hop.
    Will R1 send icmp redirect (to use R2 instead) to those hosts that match the policy based routing ?
    Thanks.
    Gert Schaarup

    HI Gert,
    The answer to your question is yes. I have verified this in a lab previously. As long as all the conditions for ICMP redirect have been met (source address on same net, best gateway on same net) then ICMP redirects are sent regardless of whether PBR or normal routing is being used.
    Hope that helps - pls rate the post if it does.
    Paresh

  • CWA redirect issue and access across the WAN

    Hello,
    I am trying to get CWA working on my wireless ISE setup and am having an issue where the guest portal redirect is pointing to the wrong port.  My setup is as follows:
    The PSN has two connections - Gig 0 is on our management VLAN 172.24.x.x  Gig 1 is on our guest network VLAN 10.190.x.x
    Using a laptop I connect to the guest ssid and guest portal times out as it is pointing to 172.24.x.x instead of the guest vlan 10.190.x.x
    We do not want guest traffic on the corp network for obvious reasons.
    One more question - Is it possible to have guest access work across the WAN?  For example, we have the admin box in Detroit and a PSN in Chicago.  Detroit's guest network is routed through a tunnel to Chicago currently.
    Some more info:
    Here is from the radius authentication details -
    cisco-av-pair=url-redirect=https://172.24.24.41:8443/guestportal/gateway?sessionId=ac18180a000024a45151d92d&action=cwa
    How do I force it to 10.190.x.x and how does ISE get 172.24.24.41 for the redirect address? DNS? I guess I am unfamiliar with how cisco-av-pair attribute is determined.  Any help will be greatly appreciated.

    Have you ran anything such as MTR on a Linux box (or WINMTR equivalent on PC)?  If so, can you find a trend in loss or high latency on a specific hop on the path? I would ensure you adjust the ICMP payload size to a higher size such as 1000Bytes and adjust the ping interval to every two seconds or so.  This ensures you are not running into an issue where the provider is rate limiting your pings, which is not uncommon for some providers, if the pings (ICMP messages) are terminating on their endpoints.
    Do you have QoS policies applied on interfaces on either end of these pings / traces?  If so, do you have assurance that ICMP messages will not be impacted by queue based dropping or shaping latency?  One solution is, move traffic from your ICMP traffic with the source or destination of your ICMP ping and trace endpoint in a priority queue with adequate bandwidth (should be a very low requirement).  This may not make sense since your bandwidth utilization is low, but shaping of busy flows can actually occur long before congestion, depending on your design. 
    Another item that may give you better insight is running and monitoring / graphing IP-SLA probes between your routers on each end.  You could then trend issues and give graphed evidence to your provider.  They could then compare your lossy  and high latency periods to their appliance interface, memory, and CPU loads to see if they can find a correlating trend.  It can be a hard battle to get ISPs to not only admit they have issues, but allocate resources to isolate and resolve these issues.  Good SLA probe data showing that their paths are not meeting delivery standards speak much louder that pings to them.

  • ACE redirection issue

    Hi,we have our main website https://abc.com and it provides links to users for various applications.If i go to https://abc.com and click the link xyz on it, i get back to main page again and current  connections drops to 0. here my browser should be redirected to https://abc.com/xyz which is not happening. Traffic is getting tunnnled to https://abc.com as seen in logs in http catcher.
    But if i type in https://abc.com/xyz in browser, i go to correct page.
    below  is my configuration. please let me know if any other configuration is  needed, Below config is with 2 links but actual production has many  links.
    I have similar issue for another application where links on  main page can not be accessed. that application works on http  instead  of https.
    rserver redirect xyz
      inservice
      webhost-redirection "https://abc.com/xyz"
    rserver redirect uvw
      inservice
      webhost-redirection "https://abc.com/uvw"
    rserver host abc
    ip address 1.1.1.1
    inservice
    serverfarm redirect xyz
    rserver xyz
    inservice
    parameter-map type http case_param
      case-insensitive
      no persistence-rebalance (i also tried enabling it)
      set header-maxparse-length 65535
      set content-maxparse-length 65535
      length-exceed continue
    parameter-map type ssl abc
      cipher RSA_WITH_3DES_EDE_CBC_SHA
    ssl-proxy service abc
      key abc
      cert abc
      ssl advanced-options abc
    serverfarm redirect uvw
    rserver uvw
    inservice
    serverfarm host abc
    rserver abc
    inservice
    class-map type http loadbalance match-any map1
       match http url /xyz.*
    class-map type http loadbalance match-any map1
       match http url /uvw.*
    policy-map type loadbalance first-match ssl-abc
    class map1
        serverfarm xyz
    class map2
        serverfarm uvw
    class class-default
        serverfarm abc 
    class ssl-intranet
        loadbalance vip inservice
        loadbalance policy ssl-abc
        loadbalance vip icmp-reply active
        nat dynamic 1 vlan 368
        appl-parameter http advanced-options case_param
        ssl-proxy server abc
    the IP address mentioned for abc.com (1.1.1.1) is on cisco CSS (VIP for www.abc.com for internal users) which is serving my internal clients. The CSS then points to actual server hosting abc.com. The ACE is serving clients coming from Internet and CSS is serving my internal clients which connect with http. Is this problem because of communication issue between ACE and CSS?
    Can anybody suggest?

    class-map match-all intranet
      2 match virtual-address 198.184.231.7 tcp eq www
    class-map match-all ssl-intranet
      2 match virtual-address 198.184.231.7 tcp eq https
    I have 2 different policy maps .........intranet map redirects to ssl-intranet map which then makes redirection to individual applications.
    policy-map multi-match external-lb
      class extranet
        loadbalance vip inservice
        loadbalance policy extranet
        loadbalance vip icmp-reply active
        nat dynamic 1 vlan 368
        appl-parameter http advanced-options case_param
      class ssl-extranet
        loadbalance vip inservice
        loadbalance policy ssl-extranet
        loadbalance vip icmp-reply active
        nat dynamic 1 vlan 368
        appl-parameter http advanced-options case_param

  • Https redirection issue for Wireless Guest CWA - ISE 1.3

    Our Setup is
    ISE 1.3 (Patch level 2) running on ACS 1121
    2 nodes clustered with Admin, monitoring, policy service enabled ( Primary and Secondary ).
    Configured SSID Guest for Centralized web authentication with ISE.
    We have issues in web redirection with chrome . It is not redirecting to the ISE page but rather showing " Page cannot be displayed".
    By default chrome is pointing to https. For example if we type https://google.com it is not redirecting to ISE page. But when I specify the same as http://google.com it works.
    There is no issue with IE, Firefox as it is redirecting to ISE page with default https and i can see it is hitting our rule.
    Please advice.

    Hi Neno
    They are using a third party certificate (digi cert) for client auth. They have confirmed even if they use a self-signed-cert the result is same.
    So basically none of the https page is not loading. If we manually browse some https site from Firefox, IE the result is same showing " page cannot be displayed".
    Redirection to https is the problem which i have never faced with my other customer. This is the upgraded version of ISE from 1.2 to 1.3.

  • Acrobat 9.0 Runtime Error Vista SBS 2003 Folder Redirection Issue

    I just got off of a two hour phone call with Adobe. They are unable to resolve my issue.
    After installing Acrobat 9.0, we receive the following error:
    "Microsoft Visual C++ Debug Library
    Runtime Error!
    Program: C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat.exe
    The application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team for more information.
    I have tried the recommend fix without success: http://kb.adobe.com/selfservice/viewContent.do?externalId=kb404597
    Someone please help. The user is an Administrator of the machine. The typical AppData path is \\servername\direct\username\Application. I changed it to x:\username\application to no avail.
    This is a Vista machine, all updates, with Small Business Server 2003 with File Redirection.

    Try http://www.adobe.com/go/kb401589
    Especially solution 4.

  • Button URL Redirect - Issue passing %null% from LOV

    I have issue when attempting to pass %null% from a LOV to a subsequent target page. The URL Redirect works fine when a value in selected in the LOV but passes gibberish "?ll" when no value is selected from the LOV. Can anyone shed some light on what's is going on?
    Redirect looks like this:
    f?p=112:411:508326687872582::NO:RP,411:P411_AGENCY,P411_CATEGORY,P411_BUDGET_YEAR,P411_OIT_OFFICE,P411_DESCRIPTION:002,%null%,2012,1665,webJeff
    Edited by: jwellsnh on Jun 2, 2010 4:42 PM

    svk1965,
    Thank you for your response, I read many other threads and you are definitely on the right track. Got impatient though and took my project on a different track which ended being a better solution for me after all.
    Jeff

  • Oracle Apps R12 iRec URL Redirection issue

    Dear Friends,
    We have configured R12 i-Rec in an server and placed in DMZ.
    we have made this server as external and we have made the irec responsibilities to external and using the DMZ Server URL we were able to work without any issue.
    Now to publish this URL to Interner users with https and Port masking , we have mapped this URL http://abc.com:8020 to https://xyz.com using Microsoft UGC Firewall 2010.
    Now from Internet we were able to hit the URL https://xyz.com and could login as oracle application user with the same url https://xyz.com
    But when we click any of the irec responsilities (irecruitmnt agency (or) others) which is made external, the page is redirected to the Real DMZ Server URL http://abc.com:8020/OA_HTML/...
    and it shows error:
    The page cannot be displayed.
    I believe it should not happen , throughout the session it has to maintain the same new URL
    Please let us know the Fix.
    Regards,
    DB

    Hi;
    What is error in apache log file?
    Regard
    Helios

  • Virtual page redirection issue - VWLC

    Hello All,
    I am using ISE for external web authentication. Once client enter the UN and PWD in the ISE guest portal, the client must redirect to 1.1.1.1 that is the local web page. But i get a blank page..? And also if i use local web page for the redirection also it is not working ..?
    Any idea..
    KVS

    Symptoms or Issue
    The URL redirection page in the client machine's browser does  not correctly guide the end user to the appropriate URL.
    Conditions:
    This issue is most applicable to 802.1X authentication sessions  that require URL redirection and Guest Centralized Web Authentication  (CWA) login sessions.
    Possible Causes:
    There are multiple causes for this issue. See the Resolutions descriptions that follow for explanation.
    Please check the below link for URL Redirection Resolutions:
    http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_troubleshooting.pdf

  • Fix for Bass Redirection issue in sig

    Hi everybody,
    I have just ordered a Teufel Concept E 5. Speaker System. For that reason I'm now also dealing with the purchse of a 5. sound card. At first my favourite was the Audigy 2 ZS, but now I'm hesitating because I've read on several forums that the Teufel System also suffers from the Audigy series' malfunctioning driver-implemented Bass Redirection (an issue firstly reported 3 years ago, January 2002!!!) when it comes to upmix a stereo source to 5..
    Just to remember: If Bass Redirection is unchecked in the drivers, the whole frequency spectrum of the stereo source will be directly sent to the front left/right channels (and no other channels), and the connected speaker system will have to split the frequency bands and feed its subwoofer with low-pass signals and the sats with high-pass signals (For example this is the case with Creative's own speaker systems which have internal crossovers). But most non-Creative 5. Systems don't have this internal functionality of mixing a stereo input up to subwoofer and sats. For such systems Creative implemented the "Bass Redirection" in their drivers: sub frequencies of the stereo source are low-pass filtered and sent to the discrete subwoofer output of the sound card. The issue is that this signal from the subwoofer output is too weak, forcing users to find workarounds to get bass when they're listening to stereo sources (such as Music in Winamp).
    This issue, although known for 3 (three!!!) years now, has not yet been fixed by Creative. In late November 2004, Cat has replied to the Monster thread dealing with this issue on the old forums (http://uk.europe.creative.com/support/forums/thread.asp?thre=396&foru=5&page=34) (scroll down), promising to forward the issue to the driver dev team, but since that day nothing has happened anymore.
    My question to the mods: is there a chance that this driver issue will be fixed in the near future? Otherwise I'll have to reconsider my options concerning my sound card purchase.
    gre-ez
    mcgyvrMessage Edited by mcgyvr8 on 0-20-2005 0:08 PM

    I have the same thing with this option -and I asking for fix (again....)
    I have Audigy 2 ZS OEM, Yamaha RXV-440 Home Cinema Recei'ver and big 5. home cinema speakers. Audigy 2 ZS is connected to Yamaha by 3 analog outputs (connecting it by spdif cause no CMSS stereo to surround upmix and only stereo sound for all none DD/DTS sound sources like MP3, games, mpg/DivX/XviD films...thats why I must connect them by annalog outputs/inputs).
    When I disable bass redirection then speakers have full frequency response (20Hz - 20kHz) but there is no any signal on sub output (when I play stereo sound with CMSS Stereo Surround enabled).
    When I enable bass redirection and set cutoff frequency to 70Hz then there is signal on analog sub out but speakers have bass cutted off (20Hz - 70Hz) and playing only frequencies from 70Hz to 20kHz
    This option causing waste of basse from speakers (they have beatyful basse but no with this drivers).
    Even when bass redirection is enabled, signal from sub output is very weak - I don't have so high sub volume regulation to turn it sound loud enough
    I have this problems on SB Li've, I have this problem on Audigy 2 ZS and this problem still exist on Audigy 4 !!! (I'am using now modded Audigy 4 drivers to work on all Audigy series but there is the same problem as in orginal A2 ZS drivers).
    I'am requesting only 2 fixes in drivers that is satisfy me completly (not only me - many people have the same problem):
    . Add an option that will disable bass cutting from speakers when bass redirection is enabled or make bass redirection working only for subwoofer without any speakers frequency cutting.
    2. Make signal from analog sub out louder because this volume level is not acceptable !!!
    Please...
    This problems causing that I starting to think about some other sound card from other producent...because that can't be Message Edited by FPPfan on 02-0-2005 08:52 PM

  • Getting Redirect issue when clicked on CR controls after session expiry

    Dear Experts,
    I have a issue in my ASP.NET and crystal reports and the scenario is as follows:
    I have implemented some reports in my my ASP.NET page. If the page is left alone for 15 mins (assuming 15 mins is configured as session time out), and then click on any buttons in the crystal report control tool bar (like export, navigate and etc), I am getting the following error.
    Response.Redirect from inside an asynchronous callback method
    I get this error beacuse in my base class I check for validity of the session and do a redirect to home page using Response.Redirect() when the session in invalid. This code apparently fails as crystal report make a asynchronous call to the page when the toolbar is clicked.
    I got some links from other sites suggesting to add some java scripts to the response stream and etc. It did not work for me.
    I am sure some one would have faces this issues and got a fix for this. If so, please share with me
    TIA,
    Prem

    Not sure.  The only thing that comes to mind is to check for the session variable to see if its still alive in the Page_Init.  You might be able to trap it early enough there.
    Other than that, I doubt this can be resolved in these forums and I'd recommend creating a phone case here:
    http://store.businessobjects.com/store/bobjamer/DisplayProductByTypePage&parentCategoryID=&categoryID=11522300
    Ludek

  • Servlet Redirection issue

    Hi,
    We have an web Application which uploads and Parses Excel File and redirects to an 1.jsp Page. We are facing an issue in redirection after Parsing Large Excel file greater than 15 MB, Tomcat is not able to redirect to 1.jsp. If we upload a Small Execl file, in this case redirection works fine. but we are facing issue with large Excel files. Browser does not show 1.jsp page. We are using RequestDispatcher to forward request to 1.jsp.
    Is there any issue with the connection timeout. our application is in tomcat which is beyond Apache. All our request go through Apache.
    I missed one more thing. from debugging we found out that tomcat is redirecting properly to 1.jsp but we are not able to see that page in the browser. The Entire process takes around 20 mins. We tried by sending direct request to tomcat on port 8080 bypassing apache in this case it works fine for large Excel files i.e. redirection works fine if we bypass the apache.
    Please help.
    Thanks.

    I tried changing it in Tomcat server.xml and also in apache configurations. Also i tried by setting timeout in jsp page. Timeout was set for 30 minutes.
    Nothing worked.

  • Redirections issues TSE - Cisco SMB SA 520

    Hello,
    I'm having troubles on a SA 520 router in Load Balancing mode (WAN1 with ADSL router, WAN2 with Wimax modem).
    It seems like Load Balancing working pretty well but some terminal server connections are having stability issues. These sessions are 4 with 4 customs ports forwarding to 4 different computers.
    One of them works well, others not and one doesn't work at all. 4 firewall's rules (8 in fact, 1 for each WAN) are made in the same way...
    For the test connection (the one which worked well), I had to disable some "Attacks" features to improve its stability (like TCP Flood protection).
    What would you advice to fix these problems and make TSE connections work well ? I forgot to mention that they work well with the ADSL router only with simply firewall rules.
    Thanks in advance for you further help !

    Hello,
    We've made many many tests to better understand the problem. Firmware is now the last recent version : 1.1.21
    Each test is realised with following settings :
    - 4 remote access connections on a single WAN configuration
    - protocol bindings for each
    - dedicated WAN = wimax
    - optional WAN = adsl behing adsl router
    First test (single WAN)
    With WAN1 or WAN2 working alone, with protocol bindings and redirections well set, everything's ok. Remote connections are always working greatly and don't suffer of disconnections.
    Second test (double WAN)
    With both WAN activated, the situation isn't the same. I've tried to test both redirections on WAN1 or WAN2 (with protocol bindings). Remote connections work randomly, a connection can work and disconnects a few minutes later without possibility of reconnection.
    An interesting thing to know is that HTTP/HTTPS and some other services defined in the same way (with protocol bindings) work very well. It seems that the problem only affects inbounds connections and custom services (on custom ports to connect on local computers).
    Third test (double WAN + capture packets)
    Attached files are the result of capture. Redirections + protocol bindings of remote connections are set on WAN1. WAN2 capture shouldn't contain any traffic on ports used by redirections (2222/4444/4747/5679). Something may going wrong with that, as if the router redirect inbound connection on the local computer throught WAN1 and use WAN2 to get out.
    I hope you'll understand the problem, sorry for my bad english. I'm avalaible to answer questions to give more details.
    Thank in advance for further help.

Maybe you are looking for

  • How can I tell if my phone is only getting a quick charge if it reads charged 100%?

    iPhone 5c battery is not holding charge for more than 3-4 hours.  It has gone completely dead twice in one day because of it.  Battery says 100% at start.  Apple Genius Bar help said that I'm only getting a soft charge or a partial charge and that is

  • ITunes *recently* no longer importing.

    ITunes is up to date. No changes to it since the last patch- no importing/setting changes. All of a sudden, iTunes is no longer importing CDs w/ error correction on. It will skip from song to song after about 2 seconds and it leaves a blank file for

  • Why can't I use any of my smart playlist on my iphone 4.

    I have had the hardest time to get any of my podcast that I manually set up in itunes to work.  None of my smart playlist work either.   Itunes shows they are on the phone but they will not play.  It seems as soons as apple introduced the podcast app

  • Complex Issue

    hai i have 2 infoobjects invoice posting time and invoice approval time. I need to calculate the difference between the invoice posting time and invoice approval time. Suppose , Invoice posting time is at 4:00pm on 03.04.2006 and Invioice approval ti

  • What can Lightroom do for me that Photoshop and Bridge can't?

    I've been using Creative Suite Design Pro since CS2 (now on CS4).  Lately I've been getting more into photography and have started hearing and reading about Lightroom.  Does Lightroom have features that Photoshop Extended and Bridge in CS don't?  Can