Support Center > Search Results > SecureKnowledge Details
IPv6 ICMP traffic is dropped by "0 - Implied Rules"
Symptoms
  • IPv6 ICMP traffic (Neighbor Solicitation, Neighbor Advertisement) does not pass through Security Gateway.

  • SmartView Tracker logs show (after enabling 'Log Implies Rules' in the Global Properties in SmartDashboard):

    Protocol = ipv6-icmp

    Action = Drop

    Rule = 0 - Implied Rules

    Information

    • ICMP: Neighbor Solicitation
      ICMP Type: 135
      ICMP Code: 0
      message_info: Implied rule

    • ICMP: Neighbor Advertisement
      ICMP Type: 136
      ICMP Code: 0
      message_info: Implied rule
  • Kernel debug ('fw ctl debug -m fw + conn vm') shows that IPv6 ICMP is dropped:

       [-- Stateful VM outbound: Entering (...) --]; 
    ... ...
    ;Before VM: <dir 1, Source_IPv6_Address -> Dest_IPv6_Address IPP 58> (len=...) ICMP protocol=3a, type=88, code=0 ...
    ;fw_get_conn_std_ex: ICMPv6 echo req type=136 id=...344 seq=0 hlen=...;
    ;fw_get_conn_std_ex: ICMPv6 default sport=0 dport=88; 
    ... ...
    ;fw_conn_post_inspect: executing handler function ssh2_code; 
    ;fw_get_conn_std_ex: ICMPv6 echo req type=136 id=... seq=0 hlen=...;
    ;fw_get_conn_std_ex: ICMPv6 default sport=0 dport=88;
    ... ...
    ;fw_conn_post_inspect: handler function returned action DROP;
    ;fw_filter_chain: fw_conn_post_inspect returned action DROP; 
    ;fw_filter_chain: Final switch, action=DROP; 
    ;After  VM: <dir 1, Source_IPv6_Address -> Dest_IPv6_Address IPP 58> (len=...) ICMP protocol=3a, type=88, code=0 ;
    ;VM Final action=DROP;
    ; -----  Stateful VM outbound Completed ----- 
    
  • Explicit security rule "Any-Any-Allow" for IPv6 Neighbor Solicitation / IPv6 Neighbor Advertisements does not help.

  • Setting the 'Protocol Type' in the 'ssh2' service to 'None' resolves the issue.

Cause

IPv6-ICMP traffic (protocol num 58) is dropped by SSH2 inspect code if a security rule contains the service 'ssh2'.


Solution
Note: To view this solution you need to Sign In .