ICMP Redirect Routes Override OSPF Routes

This article was previously published under Q243427
This article has been archived. It is offered "as is" and will no longer be updated.
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry
When Routing and Remote Access Services (RRAS) is configured as an autonomous system boundary router (ASBR), it does not correctly import connected interface subnet routes. Instead, it injects host routes into the Open Shortest Path First (OSPF) routes. Because the OSPF router cannot be used as an ASBR router, importing connected interface subnet routes into OSPF results in confusing routing tables with strange routing paths.
Internet Control Message Protocol (ICMP) redirects cause the stack to plumb host routes. These routes override the OSPF-generated routes. This, by itself, is the expected behavior. The problem, however, is that for a period of time (the period of the ICMP redirect-plumbed routes' timeout, which is ten minutes) there is a black hole for the network concerned.
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To resolve this issue, turn off the routes being plumbed by ICMP redirects. In Windows 2000, you can do this by adjusting a registry value as follows:
  1. Start Registry Editor (Regedt32.exe).
  2. Locate the following key in the registry:
  3. Change the data value of the EnableICMPRedirect value to 0 (by default, it is 1).
  4. Quit Registry Editor.
Microsoft has confirmed that this is a problem in Windows 2000.
More information
The registry value listed above is for Windows 2000 only.
  • In Windows NT 4.0, the REG_DWORD "EnableICMPRedirects" value must have an "s" at the end.
  • In Windows 2000 and later, the REG_DWORD "EnableICMPRedirect" value must not have an "s" at the end.
For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:
225344 ICMP Redirect Attack Hangs Windows NT Server and Workstation
293626 Cannot Disable ICMP Redirects with EnableICMPRedirect Value

Article ID: 243427 - Last Review: 10/26/2013 06:38:00 - Revision: 2.0

Microsoft Windows 2000 Server, Microsoft Windows 2000 Advanced Server

  • kbnosurvey kbarchive kbenv kbnetwork kbprb KB243427