Operational Defect Database
BugZero found this defect 1629 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
WatchGuard Technologies | kA10H000000g4oLSAQ
Connections fail with some asynchronous routing scenarios after update to Fireware v12.5.2
Last update date:
12/12/2019
Affected products:
Firebox M200
Firebox M300
Firebox M270
Firebox M370
Firebox M470
Firebox M570
Firebox M670
Firebox M290
Firebox M390
Firebox M400
Firebox M500
Firebox M440
Affected releases:
All
Fireware
12.x
12.5.x
Fixed releases:
v12.5.2 Update 1
Description:
Issue
After you upgrade a Firebox to Fireware v12.5.2 or later, the Firebox will no longer redirect TCP traffic when the Server/Client should respect ICMP redirect messages. For example: The Firebox has a trusted network IP address of 192.168.0.1/24 and has a network route statement for 10.0.1.0/24 with gateway 192.168.0.254. At 192.168.0.254 there is an internal router, which is the default gateway for the 10.0.1.0/24 network. If a host at 10.0.1.10 tries to connect to 192.168.0.2, the router will send requests directly to that IP address. However, when the server at 192.168.0.2 responds, the response is sent to the Firebox at 192.168.0.1 because it is the default gateway for the 192.168.0.0/24 network. The expected behavior is for the Firebox to send an ICMP redirect back to 192.168.0.2, so the server then routes the connection to the router at 192.168.0.254, which can then correctly forward the connection to the host at 10.0.1.10. If the server does not allow ICMP redirects, which is the default Windows Firewall behavior, then this fails. In Fireware v12.5.2 the TCP traffic will not be retransmitted in this asynchronous routing scenario.
Workaround/Solution
Allow ICMP redirects on Windows Firewall settings.
