|Products:||Firebox & XTM|
After you upgrade a Firebox to Fireware v12.5.2 or later, the Firebox will no longer redirect TCP traffic when the Server/Client should respect ICMP redirect messages.
The Firebox has a trusted network IP address of 192.168.0.1/24 and has a network route statement for 10.0.1.0/24 with gateway 192.168.0.254.
At 192.168.0.254 there is an internal router, which is the default gateway for the 10.0.1.0/24 network.
If a host at 10.0.1.10 tries to connect to 192.168.0.2, the router will send requests directly to that IP address. However, when the server at 192.168.0.2 responds, the response is sent to the Firebox at 192.168.0.1 because it is the default gateway for the 192.168.0.0/24 network.
The expected behavior is for the Firebox to send an ICMP redirect back to 192.168.0.2, so the server then routes the connection to the router at 192.168.0.254, which can then correctly forward the connection to the host at 10.0.1.10.
If the server does not allow ICMP redirects, which is the default Windows Firewall behavior, then this fails.
In Fireware v12.5.2 the TCP traffic will not be retransmitted in this asynchronous routing scenario.
Allow ICMP redirects on Windows Firewall settings.