ICMP redirects with bad chksum
Hello, I have a customer who is showing errors increasing on mgmt port on Other Errors Rcvd counter and CRC Errors Rcvd.
Malware Gateway : DEFAULT
SCSVRATD001> show intfport mgmt
Total Packets Received : 51629543
Total Packets Sent : 8509101
Total CRC Errors Rcvd : 4663
Total Other Errors Rcvd : 570632
Total CRC Errors Sent : 0
Total Other Errors Sent : 0
IP Address : 192.168.131.195
Netmask : 255.255.252.0
MAC Address : a4:bf:01:1d:a1:86
Malware Interface Port : YES
Malware Gateway : DEFAULT
In the pcaps I'm seeing chksum errors for some packets, but they look like they are outgoing?, so should be Tx errors, not the Rx errors he's seeing.
17:22:48.677154 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52) 192.168.131.195.https > 192.168.122.38.62329: Flags [S.], cksum 0x7f61 (incorrect -> 0x9bbb), seq 321591542, ack 834703075, win 29200, options [mss 1460, nop,nop,sackOK,nop,wscale 8], length 0
17:22:48.677312 IP (tos 0x0, ttl 64, id 23981, offset 0, flags [DF], proto ICMP (1), length 56) 192.168.129.4 > 192.168.131.195: ICMP redirect 192.168.122.38 to host 192.168.130.208, length 36 IP (tos 0x0, ttl 64, id 30961, offset 0, flags [DF], proto TCP (6), length 60, bad cksum 42a4 (->4290)!) 192.168.131.195.https > 192.168.122.38.62326: [|tcp]
17:22:48.677685 IP (tos 0x0, ttl 64, id 23982, offset 0, flags [DF], proto ICMP (1), length 56) 192.168.129.4 > 192.168.131.195: ICMP redirect 192.168.122.38 to host 192.168.130.208, length 36 IP (tos 0x0, ttl 64, id 30962, offset 0, flags [DF], proto TCP (6), length 212, bad cksum 420b (->41f7)!) 192.168.131.195.https > 192.168.122.38.62326: [|tcp]
17:22:48.677713 IP (tos 0x0, ttl 64, id 23983, offset 0, flags [DF], proto ICMP (1), length 56) 192.168.129.4 > 192.168.131.195: ICMP redirect 192.168.122.38 to host 192.168.130.208, length 36 IP (tos 0x0, ttl 64, id 2351, offset 0, flags [DF], proto TCP (6), length 60, bad cksum b266 (->b252)!) 192.168.131.195.https > 192.168.122.38.62325: [|tcp]
I'm not entirely sure, but it looks to me like 192.168.129.4 is sending ICMP packets to 192.168.131.195 (which is the ATD's mgmt IP), which is telling the ATD to redirect ping packets to somewhere else which is failing a chksum?.
Which doesn't explain this one where the header is too short:
17:22:48.695626 IP (tos 0x0, ttl 64, id 23992, offset 0, flags [DF], proto ICMP (1), length 56) 192.168.129.4 > 192.168.131.195: ICMP redirect 192.168.122.38 to host 192.168.130.208, length 36 IP (tos 0x0, ttl ...