ScreenOS Firewalls (NOT SRX)
Reply
Visitor
FredPyro
Posts: 4
Registered: ‎02-17-2009
0

SSG 350M in transparent mode explanation (problem ?)

Hi everyone,

I installed a Firewall to work in transparent mode. Actually, Fw let tagged frames pass thru.
Here is my architecture :

 

Router (cisco) ------- (e0/2 - zone l2-ext) -- FW -- (e0/0 - zone l2-zone1- vlan 444)

                                                                      -- (e0/1 - zone l2-zone2 - vlan 555)

 
Vlan 1 will be native vlan for trunks i configured on the switch (Nortel)
Interface vlan1 belong to vlan 1 and it seems it's not possible to change his vlan id.

Of course, interface vlan1 is in trunk mode.

I configured on Cisco router : inter-vlan routing and an ip address for the native vlan (1) to manage FW remotely or locally.

To resume :

    vlan 1 is in net A
    vlan 444 is in net B
    vlan 555 is in net C

 

Now what i noticed : i troubleshoot transparent mode and it seems that

  1) to manage locally, vlan1 ip address (or manage ip address) must be in same subnet

      explanation : User in net B launch SSH session to vlan1 ip address and the FW intercept SYN packet
      and answer by an SYN/ACK directely sending it to the router. is it normal ?

  2) to manage remotely, no need cos packet don't pass thru FW at level2.

  3) when packets must be routed on the wan, flow pass thru FW normally (in e0/0 and out e0/2) and create  just 1 session.

  4) when packet must be routed between vlan, FW creates 2 SESSIONS !!!! (----> e0/0 (i) - e0/2 (o) - e0/2 (i) - e0/0 (o)) = 2 sessions
     consequently, it is necessary to create 2 rules to work properly.

  Is someone has get an explanation about point 1 and 4 ?

  thx by advance,

 

  Fred
 
  PS : screenOS version : 6.0.0.r6
   

Trusted Expert Trusted Expert
Trusted Expert
WL
Posts: 790
Registered: ‎07-26-2008
0

Re: SSG 350M in transparent mode explanation (problem ?)

Hi

 

Can you run a quick "get system" and check to see if it says that the FW is in L2 mode?

 

Usually the return traffic should match the same session and not create a new session. Please post the debugs and conf and we can take a look.

 

****pls click the button " Accept as Solution" if my post helped to solve your problem****
Visitor
FredPyro
Posts: 4
Registered: ‎02-17-2009
0

Re: SSG 350M in transparent mode explanation (problem ?)

[ Edited ]


here is the output of "get system" :


----------------------------------------------


Date 02/18/2009 09:59:20, Daylight Saving Time enabled


The Network Time Protocol is Disabled


Up 22 hours 23 minutes 16 seconds Since 17Feb2009:11:36:04


Total Device Resets: 48, Last Device Reset at: 12/10/2008 17:52:19



System in transparent mode.



Use interface IP, Config Port: 80


Manager IP enforced: False


-----------------------------------------------



router (belong to l2-ext - pass thru eth0/2) :


- fa0/0.444 (tag 444) 192.168.1.3/25


- fa0/0.555 (tag 555) 192.168.1.254/25


- fa0/0 192.168.2.3/25



FW :


- vlan1 192.168.2.5/24 (GW : 192.168.2.3)



PC A :


- 192.168.1.1/25 (GW : 192.168.1.3) belong to l2-zone1 (pass thru eth0/0)



PC B :


- 192.168.1.135/25 (GW : 192.168.1.254) belong to l2-zone2 (pass thru eth0/1)




my test consists on ping PC B from PC A.


it seems at the incoming flow eth0/0 and eth0/2 receive packet (so 2 sessions).


I tried to bind eth0/1 to l2-zone1 : same result.

Message Edited by FredPyro on 02-18-2009 01:33 AM
Message Edited by FredPyro on 02-18-2009 01:34 AM
PS : I will tried to upgrade screenOS to 6.1.0r2 (ScreenOS version of FW in production) (and if same result, upgrade to 6.2.0r1) 
 
Message Edited by FredPyro on 02-18-2009 01:37 AM
Trusted Expert Trusted Expert
Trusted Expert
WL
Posts: 790
Registered: ‎07-26-2008
0

Re: SSG 350M in transparent mode explanation (problem ?)

Hmm I see what you mean. ICMP is a special case. Each echo will create a new session. But in  your case I think there seems to be some kind of duplicate packets going on :

****** 80760.0: <l2-zone1/ethernet0/0> packet received [60]******
  ipid = 222(00de), @04bd9368
  packet passed sanity check.
  l2-zone1.1:192.168.1.1/1280->192.168.1.135/1024,1(8/0)<Root>

......
80760.0: <l2-ext/ethernet0/2> packet received [60]******
  ipid = 222(00de), @04bd9b68
packet passed sanity check.
  l2-ext.3:192.168.1.1/1280->192.168.1.135/1024,1(8/0)<Root>
found mac 001b3833cb68 on ethernet0/1

 

If you look at the packets that the FW are receiving above, they have the same IPID and ports for that packet. And they are reaching the FW from different interfaces! One on eth0/0 and one from eth0/2. There seems like a loop going on in the network as we are seeing the same packet hitting the FW on 2 different interfaces. That should not be happening.

****pls click the button " Accept as Solution" if my post helped to solve your problem****
Visitor
FredPyro
Posts: 4
Registered: ‎02-17-2009
0

Re: SSG 350M in transparent mode explanation (problem ?)

I tested it with ftp too and result is the same.

Do you have already tested this kind of architecture ? (trunk and FW in the middle). This behaviour is
pretty weird cos it seems FW anticipate the return traffic (inter-vlan traffic).

Notice : i can understand that 2 sessions is needed  (l2-zone1 -> l2-ext and l2-ext -> l2-zone2) but it seems

FW is not able to see that it is the same flow (what a pity for a stateful FW). maybe i'm wrong about this problem and did not find the exact explanation. 

 

Thank you for your time ...

 

Fred 

Trusted Expert Trusted Expert
Trusted Expert
WL
Posts: 790
Registered: ‎07-26-2008
0

Re: SSG 350M in transparent mode explanation (problem ?)

Hm, I think you didnt really get what I meant. The FW is seeing it as 2 sessions cos the same packets are being routed to the FW twice, which should not be the case unless you a have loop in the network.

 

The snoop shows this very clearly:

80699.0: ethernet0/0(i) len=78:00123f1a4a5a->0008a30eade0/8100/0800, tag 444
              192.168.1.1 -> 192.168.1.135/1
              vhl=45, tos=00, id=221, frag=0000, ttl=128 tlen=60
              icmp:type=8, code=0


80699.0: ethernet0/2(i) len=78:0008a30eade0->001b3833cb68/8100/0800, tag 555
              192.168.1.1 -> 192.168.1.135/1
              vhl=45, tos=00, id=221, frag=0000, ttl=127 tlen=60
              icmp:type=8, code=0  <---Type 8 for Echo. Note Echo REPLY is type=0 code=0

If you take a look at the snoop I copied from your file above, you can see the id is the same for the 2 packets above. You can also see that the (i) means incoming interface. The same packet is coming to the FW on 2 different interfaces eth0/0 and eth0/2.

Even for a L2 FW, that indicates that there is somekind of a loop going on. That is why you are seeing 2 sessions cos the policy you have does not deny this traffic.

 

Based on your configuration this packet should be going from the  l2-zone1 to l2-zone2. The response or echo reply will match the same session.

****pls click the button " Accept as Solution" if my post helped to solve your problem****
Visitor
FredPyro
Posts: 4
Registered: ‎02-17-2009
0

Re: SSG 350M in transparent mode explanation (problem ?)

Hi,

Frames are tagged thru the FW and my switch is configured with STP on this way :
- vlan 1 => instance stp 1
- vlan 444, 555 => instance stp 2

on the switch, 2 trunk ports :
- 1 with vlan 1 (as native) and vlan 444
- 1 with vlan 1 (as native) and vlan 555


Wan --- router ---- FW ----- Switch ---- Users

Effectively, debug outputs seems to show that the same packet arrives on 2 interfaces at the same time.
But it's not really what it happens. there's no drop on FW and on each PC (with wireshark), 1 echo request and 1 echo reply.

I think that's the packet should match l2-zone1 to l2-ext and (at return) l2-ext to l2-zone2 cos FW
does not to act to route it.

Just to say : i'm sure that there are not physical and logical loops.

that's maybe the normal behaviour ...

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.