No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

One message twice turnover firewall results message drop

Publication Date:  2012-09-22 Views:  51 Downloads:  0
Issue Description
    S9312-A ------------ S9312-B
         |      \            /        |
         |           \   /            |
         |           /   \            |
         |       /           \        |
    E1000E-A-------------E1000E-B
         |                         |
         |                         |
     S5312-A---------------S5312-B
Firewall Eudemon1000E work in transparent mode,pass through vlan 703,709,vlan410 as network management of firewall,s53-A is  primary,s53-B is secondary
S53-A-E1000E-A-S93-A and S53-B-E1000E-B-S93-B pass through valn 703
S53-A-E1000E-A-S93-B and S53-B-E1000E-B-S93-A pass through vlan 709,among of them same plane OSPF COST is 10,as primary link;different plane OSPF COST is 15,as secondary  link
ping E1000E-A Vlan 410地址不通;从93-A 带Vlan 709源地址ping E1000E-A Vlan 410地址可以ping通
Network management stream form 93-A can not manage E1000E-A with vlan 703 from vlan 703 source address Ping  E1000E-A Vlan 410 address unsuccessful,
Source address from vlan 709 can ping E1000E-A Vlan 410 address

Alarm Information
none
Handling Process
This network exist several subsystem similar with above networking,change vlan pass through as follows
Set network management subsystem,link vlan 410 with s53 to pass through,
Others subsystem link with s93 to pass through,then one message will only have one chance to pass firewall,avoid this problem

Root Cause
management stream from S93-A preferred choose routing learn from vlan703,S93-A to E1000E-A preferred choose routing is
VLAN703         VLAN703          VLAN410
S93-A--------------------E1000E-A-----------------S53-A-------------------E1000E-A
in this way message pass firewall twice

in transparent mode and fixed mode,E1000E implement as follows:for a dialog,as improve application,only the first of pro and con direction message will check mac transmit list. Ensure exit port,then cache exit information in dialog list,followed package will not check mac transmit list,sent by exit port cache directly
links passed by S93-A ping E1000E-A are
1、93-A ---> E1000E-A
2、E1000E-A ----> 53-A
3、53-A----> E1000E-A enter from G0/0/1 410 vlan,as exit port of follows package is G0/0/0,before sent message,judge in port and out port are not in same vlan,drop message
by this way,one message twice passed firewall,in port and out port and vlan are different,result in message is drop in firewall,results of packet capture is the same as theoretical analysis 

secondary path is
VLAN709             VLAN709          VLAN410
S93-A--------------------E1000E-B-----------------S53-B-------------------S53-A------
VLAN410
-------------E1000E-A

Message pass one firewall one times,so can ping
Suggestions
V100R002C01SPC001 solve a problem of one message twice passed firewall,required twice are both layer2 flow,our stream as follows
VLAN703    VLAN703        VLAN410
S93-A--------------------E1000E-A-----------------S53-A-------------------E1000E-A(10.0.32.137)
1 message from s93-A to s53-A,E1000E sent by layer2,dialog next-hop record aim address of message (10.0.32.137)
2 message from s53-A to E1000E-A,because of aim mac is interface mac,E1000E-A sent message by layer3,not need to check routing again,use cached next-hop of dialog(10.0.32.137) check ARP,ARP can not find out,caused drop packet loss
In this networking,message first passed firewall sent by layer2,second passed firewall sent by layer3,but this special application V100R002C01SPC001 not support

END