WatchGuard Support Center

Knowledge Base - Article

 Connections fail with some asynchronous routing scenarios after update to Fireware v12.5.2

Products: Firebox & XTM
Operating System: 12.5.x
Issue Status: Resolved
Tracking ID: FBX-18283
Status: Resolved
Resolved In: Fireware v12.5.2 Update 1
After you upgrade a Firebox to Fireware v12.5.2 or later, the Firebox will no longer redirect TCP traffic when the Server/Client should respect  ICMP redirect messages.

For example:

The Firebox has a trusted network IP address of and has a network route statement for with gateway

At there is an internal router, which is the default gateway for the network.

If a host at tries to connect to, the router will send requests directly to that IP address. However, when the server at responds, the response is sent to the Firebox at because it is the default gateway for the network.

The expected behavior is for the Firebox to send an ICMP redirect back to, so the server then routes the connection to the router at, which can then correctly forward the connection to the host at

If the server does not allow ICMP redirects, which is the default Windows Firewall behavior, then this fails.

In Fireware v12.5.2 the TCP traffic will not be retransmitted in this asynchronous routing scenario.


Allow ICMP redirects  on Windows Firewall settings.