Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Duplicated traffic

Duplicated traffic 8 years 2 weeks ago #28230

  • Chojin
  • Chojin's Avatar
  • Offline
  • Senior Member
  • Posts: 251
  • Karma: 0
Hey guys (and girls ofcourse :)).

I'm a bit confused... seems my cisco knowledge isn't as good as I hoped ;-).

Currently I'm facing a problem where our firewall receives traffic on 2 interfaces... seriously :-)... no Span ports configured or port-channels, just 2 interfaces on the switch connected to 2 interfaces of the firewall.. and seems both ports are used, but the strange part ... it is only used for a couple of computers.

So.. To make a little bit of drawing :

[Server (Vlan1) ] --> [Core Switch] --> [DMZ Switch] --> [Firewall]
[Server (Vlan2) ] --> [Core Switch] --> [DMZ Switch] --> [Firewall]

The server on VLAN 1 reaches the firewall on interface 1 and 2
The server on VLAN 2 reaches the firewall on interface 1 only.

On the DMZ switch we make use of private-vlan configuration.

Anyone an idea how this could be possible?!
Thanks
CCNA / CCNP / CCNA - Security / CCIP / Prince2 / Checkpoint CCSA
The administrator has disabled public write access.

Re: Duplicated traffic 8 years 2 weeks ago #28234

  • S0lo
  • S0lo's Avatar
  • Offline
  • Moderator
  • Posts: 1577
  • Thank you received: 7
  • Karma: 3
What type/model of firewall is this Chojin? Is it an ASA, PIX or Linux, Windows box?
Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
The administrator has disabled public write access.

Re: Duplicated traffic 8 years 2 weeks ago #28237

  • Chojin
  • Chojin's Avatar
  • Offline
  • Senior Member
  • Posts: 251
  • Karma: 0
Good question.

This is a Checkpoint R61 baby... I am kinda thinking about Routing loops.. but still makes no sense at this time.

I'm going to the server-room in a while to make some tcpdumps to see whats going on, also on L2, hope to find more info on that.
CCNA / CCNP / CCNA - Security / CCIP / Prince2 / Checkpoint CCSA
The administrator has disabled public write access.

Re: Duplicated traffic 8 years 2 weeks ago #28239

  • S0lo
  • S0lo's Avatar
  • Offline
  • Moderator
  • Posts: 1577
  • Thank you received: 7
  • Karma: 3
hmm, not sure about Checkpoint, but since the Server (on Vlan2) is able to reach interface 1 that confirms that back and forth traffic is finding the write routes. So the first thing I could think of is the policy in the firewall.

For example, in ASAs and PIXes. By default, traffic is allowed to flow from a higher security level interface to a lower security level interface . But not vise versa. You'd need an ACL (and in some cases a static map) to allow the reverse traffic. The Checkpoint could have similar rules.

I assume here that interface 1 is on VLAN1 and interface 2 is on VLAN2. And that gateways on the servers are configured properly. And that both switches are working at layer 2 (at least for this case). It's a bit odd that the Server on VLAN2 can reach the interface on VLAN1 but not the interface on it's own VLAN2!! :?
Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
The administrator has disabled public write access.

Re: Duplicated traffic 8 years 2 weeks ago #28247

  • Chojin
  • Chojin's Avatar
  • Offline
  • Senior Member
  • Posts: 251
  • Karma: 0
Today after a long day of work.. we figured out :-).

Seems the checkpoint firewall has some kinda bug and twitched arround the source/destination... so, in fact source was destination and destination was source

in our log there was :

Server A > Server B [OK]
Server A > Server B [Drop]

While this was in fact :

Server A > Server B [Ok]
Server B > Server A [Drop]

Seems server B had a wrong route for a subnet to send it towards a wrong interface on the firewall... still don't get it why the checkpoint twitched the source/destination.. when i know I'll let ya know :)
CCNA / CCNP / CCNA - Security / CCIP / Prince2 / Checkpoint CCSA
The administrator has disabled public write access.
Time to create page: 0.079 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup