ScreenOS Firewalls (NOT SRX)
Reply
Visitor
khalavak
Posts: 2
Registered: ‎09-15-2008
0

OSPF Multicast spoofing alerts on cluster secondary

Hello,

when enabling OSPF on our ISG interfaces I started getting these errors/warnings about IP spoofing in the logs. 

It seems like the cluster member(secondary) sees the OSFP multicast messages sent by the cluster primary and logs the spoofing alert. Any ideas why that is happening and how I can get it fixed so that the devices wouldn't alert on these ospf multicast messages?

Device isg1000 Details [Root]system-alert-00008: IP spoofing! From 10.1.1.1 to 224.0.0.5, proto 89 (zone Client int  ethernet1/1.1). Occurred 1 times.

Recognized Expert
PentinProcessor
Posts: 258
Registered: ‎11-06-2007
0

Re: OSPF Multicast spoofing alerts on cluster secondary

[ Edited ]

1. Is the cluster set up as Active/Passive?
2. Is it VSD-less (i.e. is the command 'unset nsrp vsd-group id 0' configured)?

3. Is it a new setup or has it been up and running for a period of time?
4. Who is the real owner of 10.1.1.1?

 

The output of the following will help determine the next step:

get nsrp

get config | inc nsrp
get int <int_name> (do this for interface that you're enabling OSPF, on both firewalls) 

 

Regards,

Josine

 

Message Edited by PentinProcessor on 09-16-2008 07:48 AM
Visitor
khalavak
Posts: 2
Registered: ‎09-15-2008
0

Re: OSPF Multicast spoofing alerts on cluster secondary

Hello,

the cluster is setup as active/active and its not VSD less and "unset nsrp vsd-group 0" is not configured. The setups is a "normal" setup in that the two devices has been configured with set "nsrp cluster id 1"  and the defualt vsd-group 0 has been used.  The setup on this cluster has been running for awhile. The real owner of 10.1.1.1 is the cluster master and its the NSRP address on that interface.

 

Here are the output of the commands you requested: 

 

isgcluster:isgcluster01(M)-> get nsrp

nsrp version: 2.0

 

cluster info:

cluster id: 1, name: isgcluster

local unit id: 6361344

active units discovered: 

index: 0, unit id:   6361344, ctrl mac: 001bc061110a, data mac: 001bc061110a

index: 1, unit id:   6350976, ctrl mac: 001bc060e88a, data mac: 001bc060e88a

total number of units: 2

 

VSD group info:

init hold time: 5

heartbeat lost threshold: 3

heartbeat interval: 1000(ms)

master always exist: enabled

group priority preempt holddown inelig   master       PB other members

    0       95 yes            3 no       myself  6350976 

total number of vsd groups: 1

Total iteration=3617611,time=1089271752,max=215660,min=439,average=301

 

RTO mirror info:

run time object sync: enabled

ping session sync: enabled

coldstart sync done

nsrp data packet forwarding is enabled

 

nsrp link info:

control   channel: ethernet1/4 (ifnum: 10)  mac: 001bc061110a state: up(probe)

data      channel: ethernet1/4 (ifnum: 10)  mac: 001bc061110a state: up(probe)

ha secondary path link not available

 

NSRP encryption: disabled

NSRP authentication: disabled 

device based nsrp monitoring threshold: 255, weighted sum: 0, not failed

device based nsrp monitor interface: 

device based nsrp monitor zone: 

device based nsrp track ip: (weight: 255, disabled)

number of gratuitous arps: 4 (default)

config sync: enabled

 

track ip: disabled

isgcluster:isgcluster01(M)->

 

isgcluster:isgcluster01(M)-> get config | inc nsrp

set nsrp cluster id 1

set nsrp cluster name isgcluster

set nsrp rto-mirror sync

set nsrp rto-mirror session ageout-ack

set nsrp rto-mirror session non-vsi

set nsrp vsd-group master-always-exist

set nsrp vsd-group id 0 priority 95

set nsrp vsd-group id 0 preempt

set nsrp ha-link probe

 

isgcluster:isgcluster01(M)-> get int eth1/3.6

Interface ethernet1/3.6(VSI):

  description ethernet1/3.6

  number 9, if_info 72120, if_index 6, VLAN tag 500, mode route

  link up, phy-link up/full-duplex

  vsys Root, zone Client, vr trust-vr, vsd 0

  *ip 10.1.1.1/29   mac 0010.dbff.2090

  manage ip 10.1.1.2, mac 001b.c061.1109

  route-deny disable

  pmtu-v4 disabled

  ping enabled, telnet disabled, SSH enabled, SNMP enabled

  web enabled, ident-reset disabled, SSL enabled

  DNS Proxy disabled, webauth disabled, webauth-ip 0.0.0.0

  OSPF enabled  BGP disabled  RIP disabled  RIPng disabled

  NSGP disabled  mtrace disabled

  PIM: not configured  IGMP not configured

  bandwidth: physical 0Mbps, configured 0Mbps

  DHCP-Relay disabled

Number of SW session: 261100, hw sess err cnt 0

 

Any ideas on why the cluster secondary is logging those OSPF multicasts?

 

Regards,

Kim H 

 

Recognized Expert
PentinProcessor
Posts: 258
Registered: ‎11-06-2007
0

Re: OSPF Multicast spoofing alerts on cluster secondary

Kim H,
Thank you for the info.

What is your ScreenOS version?


What's interesting to me is that OSPF is enabled on FW1 on interface eth1/3.6.  However, the message you're getting is from eht1/1.1 on FW2:

Device isg1000 Details [Root]system-alert-00008: IP spoofing! From 10.1.1.1 to 224.0.0.5, proto 89 (zone Client int  ethernet1/1.1). Occurred 1 times.

The error started occuring when you enabled OSPF on the eth1/3.6 on the FW2?

At this point, a network diagram and the configs are needed for both firewalls.  I would open a case with JTAC.

Regards,
Josine

New User
L00p
Posts: 1
Registered: ‎09-18-2008
0

Re: OSPF Multicast spoofing alerts on cluster secondary

hi all! i have the same problem.  can you tell me the case number?
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.