02-17-2009 09:35 AM
I installed a Firewall to work in transparent mode. Actually, Fw let tagged frames pass thru.
Here is my architecture :
Router (cisco) ------- (e0/2 - zone l2-ext) -- FW -- (e0/0 - zone l2-zone1- vlan 444)
Vlan 1 will be native vlan for trunks i configured on the switch (Nortel)
Interface vlan1 belong to vlan 1 and it seems it's not possible to change his vlan id.
Of course, interface vlan1 is in trunk mode.
I configured on Cisco router : inter-vlan routing and an ip address for the native vlan (1) to manage FW remotely or locally.
To resume :
vlan 1 is in net A
vlan 444 is in net B
vlan 555 is in net C
Now what i noticed : i troubleshoot transparent mode and it seems that
1) to manage locally, vlan1 ip address (or manage ip address) must be in same subnet
explanation : User in net B launch SSH session to vlan1 ip address and the FW intercept SYN packet
and answer by an SYN/ACK directely sending it to the router. is it normal ?
2) to manage remotely, no need cos packet don't pass thru FW at level2.
3) when packets must be routed on the wan, flow pass thru FW normally (in e0/0 and out e0/2) and create just 1 session.
4) when packet must be routed between vlan, FW creates 2 SESSIONS !!!! (----> e0/0 (i) - e0/2 (o) - e0/2 (i) - e0/0 (o)) = 2 sessions
consequently, it is necessary to create 2 rules to work properly.
Is someone has get an explanation about point 1 and 4 ?
thx by advance,
PS : screenOS version : 6.0.0.r6
02-17-2009 02:07 PM
Can you run a quick "get system" and check to see if it says that the FW is in L2 mode?
Usually the return traffic should match the same session and not create a new session. Please post the debugs and conf and we can take a look.
02-18-2009 01:25 AM - edited 02-18-2009 01:37 AM
here is the output of "get system" :
Date 02/18/2009 09:59:20, Daylight Saving Time enabled
The Network Time Protocol is Disabled
Up 22 hours 23 minutes 16 seconds Since 17Feb2009:11:36:04
Total Device Resets: 48, Last Device Reset at: 12/10/2008 17:52:19
System in transparent mode.
Use interface IP, Config Port: 80
Manager IP enforced: False
router (belong to l2-ext - pass thru eth0/2) :
- fa0/0.444 (tag 444) 192.168.1.3/25
- fa0/0.555 (tag 555) 192.168.1.254/25
- fa0/0 192.168.2.3/25
- vlan1 192.168.2.5/24 (GW : 192.168.2.3)
PC A :
- 192.168.1.1/25 (GW : 192.168.1.3) belong to l2-zone1 (pass thru eth0/0)
PC B :
- 192.168.1.135/25 (GW : 192.168.1.254) belong to l2-zone2 (pass thru eth0/1)
my test consists on ping PC B from PC A.
it seems at the incoming flow eth0/0 and eth0/2 receive packet (so 2 sessions).
I tried to bind eth0/1 to l2-zone1 : same result.
02-18-2009 08:23 AM
Hmm I see what you mean. ICMP is a special case. Each echo will create a new session. But in your case I think there seems to be some kind of duplicate packets going on :
****** 80760.0: <l2-zone1/ethernet0/0> packet received ******
ipid = 222(00de), @04bd9368
packet passed sanity check.
80760.0: <l2-ext/ethernet0/2> packet received ******
ipid = 222(00de), @04bd9b68
packet passed sanity check.
found mac 001b3833cb68 on ethernet0/1
If you look at the packets that the FW are receiving above, they have the same IPID and ports for that packet. And they are reaching the FW from different interfaces! One on eth0/0 and one from eth0/2. There seems like a loop going on in the network as we are seeing the same packet hitting the FW on 2 different interfaces. That should not be happening.
02-18-2009 09:13 AM
I tested it with ftp too and result is the same.
Do you have already tested this kind of architecture ? (trunk and FW in the middle). This behaviour is
pretty weird cos it seems FW anticipate the return traffic (inter-vlan traffic).
Notice : i can understand that 2 sessions is needed (l2-zone1 -> l2-ext and l2-ext -> l2-zone2) but it seems
FW is not able to see that it is the same flow (what a pity for a stateful FW). maybe i'm wrong about this problem and did not find the exact explanation.
Thank you for your time ...
02-18-2009 10:21 AM
Hm, I think you didnt really get what I meant. The FW is seeing it as 2 sessions cos the same packets are being routed to the FW twice, which should not be the case unless you a have loop in the network.
The snoop shows this very clearly:
80699.0: ethernet0/0(i) len=78:00123f1a4a5a->0008a30eade0/8100/0800, tag 444
192.168.1.1 -> 192.168.1.135/1
vhl=45, tos=00, id=221, frag=0000, ttl=128 tlen=60
80699.0: ethernet0/2(i) len=78:0008a30eade0->001b3833cb68/8100/0800, tag 555
192.168.1.1 -> 192.168.1.135/1
vhl=45, tos=00, id=221, frag=0000, ttl=127 tlen=60
icmp:type=8, code=0 <---Type 8 for Echo. Note Echo REPLY is type=0 code=0
If you take a look at the snoop I copied from your file above, you can see the id is the same for the 2 packets above. You can also see that the (i) means incoming interface. The same packet is coming to the FW on 2 different interfaces eth0/0 and eth0/2.
Even for a L2 FW, that indicates that there is somekind of a loop going on. That is why you are seeing 2 sessions cos the policy you have does not deny this traffic.
Based on your configuration this packet should be going from the l2-zone1 to l2-zone2. The response or echo reply will match the same session.
02-20-2009 05:09 AM
Frames are tagged thru the FW and my switch is configured with STP on this way :
- vlan 1 => instance stp 1
- vlan 444, 555 => instance stp 2
on the switch, 2 trunk ports :
- 1 with vlan 1 (as native) and vlan 444
- 1 with vlan 1 (as native) and vlan 555
Wan --- router ---- FW ----- Switch ---- Users
Effectively, debug outputs seems to show that the same packet arrives on 2 interfaces at the same time.
But it's not really what it happens. there's no drop on FW and on each PC (with wireshark), 1 echo request and 1 echo reply.
I think that's the packet should match l2-zone1 to l2-ext and (at return) l2-ext to l2-zone2 cos FW
does not to act to route it.
Just to say : i'm sure that there are not physical and logical loops.
that's maybe the normal behaviour ...