No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Service-manage is not working correctly

Publication Date:  2017-10-06 Views:  139 Downloads:  0
Issue Description

Customer is having the following topology. He opened a ticket because although he enabled service-manage https onVLANIF202 on both firewalls, he was able to connect via WebUI only to Firewall B.




Active device configuration:


interface Vlanif202
 ip address 192.168.202.247 255.255.255.0
 vrrp vrid 1 virtual-ip 192.168.202.254 active
 service-manage https permit
 service-manage ping permit



interface GigabitEthernet0/0/1
 ip address 10.255.1.28 255.255.255.248
 vrrp vrid 2 virtual-ip 10.255.1.30 active
 service-manage ping permit

 




 

Handling Process

We have set traffic statistics on Firewall A and we have seen that Firewall A drops the packets because service-manage policy is missing.



Root Cause

Service-manage policy, requires that if the inbound interface is not the managed interface, you need to add service-manage also on inbound interface of the service packets.

 

Although we fixed the problem, customer still wanted explanation why Firewall A needs service manage on GI 0/0/1 + Vlanif202 and on Firewall B is enough to put only on Vlanif202.

    
1. Customer want to access FW_A.

a)    Packet flow:

-       Packet arrives at router. Router looks at the IP routing table . Next hop is 10.255.1.3

-       Since the next hop is 10.255.1.30, Packet arrives at FW_A ( he controls the Virtual IP of the group

-       The destination is 192.168.202.247, which is the physical address of Vlaif202 of Fw_A

Conclusion:

-       Inbound interface of packets is Gi 0/0/1,

-       Destination is 192.168.202.247 => you need to put service-manage on both


 
2. Customer wants to access FW_B

b)   Packet flow:
     

              -       Packet arrives at router. Router looks at the IP routing table . Next hop is 10.255.1.30 ( same as first case )

       -       Packets arrive again at Fw_A but this time, the destination of the packets is physical IP address of Vlaif202 on Fw_B

       -       Fw_A looks in the routing table and sees that the destination is not him, but a host on the same VLAN202.

                            -       He forwards the packets in the VLAN202, because he knows the 192.168.202.248 is in same VLAN

                             
Conclusion: Fw_B receives the packets from Fusion_A


                             -       Inbound interface:Vlan202

                             -       Destination Vlanif ip address => you need to put service-manage only on Vlanif since this is also inbound+destination



Solution

Customer needs to add service-manage permit https on both Gi 0/0/1 interfaces on both firewalls. Even if on firewall B is not needed, in case firewall A goes out of service, he will be unable to connect to firewall B.

END