On a Hybrid Network, the Slave Firewall Cannot be Pinged Through Sometimes

Publication Date:  2012-07-17 Views:  95 Downloads:  0
Issue Description



1.          The slave firewall cannot be pinged through from the Secospace server sometimes.

2.       The service network connection from the Secospace server to the firewall is not through sometimes.
Alarm Information
Handling Process

1.          Ping the slave firewall form a upstream terminal. View the MAC forwarding table on the switch and the firewall.

2.          Ping the slave firewall form a downstream terminal. View the MAC forwarding table on the switch and the firewall.

3.          The MAC address of the slave firewall is updated repeatedly. Occasionally, the MAC entries indicate that the ingress interface is the same as the egress interface. As a result, the firewall discards some packets.

Root Cause
1.          Use 300 packets to ping the slave firewall from the terminal. Six packets are lost.
2.          According to the slave debug statistics, only the slave firewall receives only 294 packets and responds to all these packets.

3.          According to the master debug statistics, the master firewall receives only 275 packets (the other 25 ICMP packets go to the slave firewall not through the master firewall) but forwards to 294 ICMP response packets. The master firewall discards six ICMP request packets because the ingress interface and egress interface of these packets are the same according to the MAC forwarding table.

4.          Packets captured from interface G0/0/0 of the slave firewall indicates that some ICMP request packets are received by G0/0/0 while most ICMP request packets are received by G0/0/1.

5.          According to MAC entries of the master firewall and the intranet C2960 slave device, MAC address wander occurs.
6.          Packets captured from the intranet interface of the slave device contain COPS heartbeat packets for interaction with the Secospace server. ARP entries on the terminal of the slave device indicates the egress interface is G0/0/1, while those on the core switch indicates that the egress interface is G0/0/0. This indicates that interaction packets between the terminal, Secospace server and the slave firewall go through the master firewall. If the ARP entries on the slave firewall indicates that egress interface is G0/0/0 when the master firewall receives ICMP request packets, the master firewall discard these packets.
On a hybrid network, you are advised to enable multiple vlanifs, making the service VLAN independent of the management VLAN.