Hi

 

Can you run a quick "get system" and check to see if it says that the FW is in L2 mode?

 

Usually the return traffic should match the same session and not create a new session. Please post the debugs and conf and we can take a look.

 

here is the output of "get system" :

----------------------------------------------

Date 02/18/2009 09:59:20, Daylight Saving Time enabled

The Network Time Protocol is Disabled

Up 22 hours 23 minutes 16 seconds Since 17Feb2009:11:36:04

Total Device Resets: 48, Last Device Reset at: 12/10/2008 17:52:19

System in transparent mode.

Use interface IP, Config Port: 80

Manager IP enforced: False

-----------------------------------------------

router (belong to l2-ext - pass thru eth0/2) :

- fa0/0.444 (tag 444) 192.168.1.3/25

- fa0/0.555 (tag 555) 192.168.1.254/25

- fa0/0 192.168.2.3/25

FW :

- vlan1 192.168.2.5/24 (GW : 192.168.2.3)

PC A :

- 192.168.1.1/25 (GW : 192.168.1.3) belong to l2-zone1 (pass thru eth0/0)

PC B :

- 192.168.1.135/25 (GW : 192.168.1.254) belong to l2-zone2 (pass thru eth0/1)

my test consists on ping PC B from PC A.

it seems at the incoming flow eth0/0 and eth0/2 receive packet (so 2 sessions).

I tried to bind eth0/1 to l2-zone1 : same result.

Hmm I see what you mean. ICMP is a special case. Each echo will create a new session. But in  your case I think there seems to be some kind of duplicate packets going on :

****** 80760.0: <l2-zone1/ethernet0/0> packet received [60]******
  ipid = 222(00de), @04bd9368
  packet passed sanity check.
  l2-zone1.1:192.168.1.1/1280->192.168.1.135/1024,1(8/0)<Root>

......
80760.0: <l2-ext/ethernet0/2> packet received [60]******
  ipid = 222(00de), @04bd9b68
packet passed sanity check.
  l2-ext.3:192.168.1.1/1280->192.168.1.135/1024,1(8/0)<Root>
found mac 001b3833cb68 on ethernet0/1

 

If you look at the packets that the FW are receiving above, they have the same IPID and ports for that packet. And they are reaching the FW from different interfaces! One on eth0/0 and one from eth0/2. There seems like a loop going on in the network as we are seeing the same packet hitting the FW on 2 different interfaces. That should not be happening.

I tested it with ftp too and result is the same.

Do you have already tested this kind of architecture ? (trunk and FW in the middle). This behaviour is
pretty weird cos it seems FW anticipate the return traffic (inter-vlan traffic).

Notice : i can understand that 2 sessions is needed  (l2-zone1 -> l2-ext and l2-ext -> l2-zone2) but it seems

FW is not able to see that it is the same flow (what a pity for a stateful FW). maybe i'm wrong about this problem and did not find the exact explanation. 

 

Thank you for your time ...

 

Fred 

Hm, I think you didnt really get what I meant. The FW is seeing it as 2 sessions cos the same packets are being routed to the FW twice, which should not be the case unless you a have loop in the network.

 

The snoop shows this very clearly:

80699.0: ethernet0/0(i) len=78:00123f1a4a5a->0008a30eade0/8100/0800, tag 444
              192.168.1.1 -> 192.168.1.135/1
              vhl=45, tos=00, id=221, frag=0000, ttl=128 tlen=60
              icmp:type=8, code=0

80699.0: ethernet0/2(i) len=78:0008a30eade0->001b3833cb68/8100/0800, tag 555
              192.168.1.1 -> 192.168.1.135/1
              vhl=45, tos=00, id=221, frag=0000, ttl=127 tlen=60
              icmp:type=8, code=0  <---Type 8 for Echo. Note Echo REPLY is type=0 code=0

If you take a look at the snoop I copied from your file above, you can see the id is the same for the 2 packets above. You can also see that the (i) means incoming interface. The same packet is coming to the FW on 2 different interfaces eth0/0 and eth0/2.

Even for a L2 FW, that indicates that there is somekind of a loop going on. That is why you are seeing 2 sessions cos the policy you have does not deny this traffic.

 

Based on your configuration this packet should be going from the  l2-zone1 to l2-zone2. The response or echo reply will match the same session.

Hi,

Frames are tagged thru the FW and my switch is configured with STP on this way :
- vlan 1 => instance stp 1
- vlan 444, 555 => instance stp 2

on the switch, 2 trunk ports :
- 1 with vlan 1 (as native) and vlan 444
- 1 with vlan 1 (as native) and vlan 555


Wan --- router ---- FW ----- Switch ---- Users

Effectively, debug outputs seems to show that the same packet arrives on 2 interfaces at the same time.
But it's not really what it happens. there's no drop on FW and on each PC (with wireshark), 1 echo request and 1 echo reply.

I think that's the packet should match l2-zone1 to l2-ext and (at return) l2-ext to l2-zone2 cos FW
does not to act to route it.

Just to say : i'm sure that there are not physical and logical loops.

that's maybe the normal behaviour ...