02-15-2012 05:14 AM - edited 02-15-2012 05:34 AM
I am using ESI to force packets to go from the Aruba controller to a "firewall" for additional inspection. From there the packets are forwarded to their destination. However, if the packets are sent from one wireless client to another wireless client, they get routed back from the "firewall" to the same Arbua controller. At this point I get a TTL Timeout. It appears that, at the controller, the packet hits the ESI policy again and goes back to the "firewall" in an infinite loop. My policy rule specifies "forward" and it looks like this:
user any any redirect esi-group "MyFW" direction forward
I would appreciate any feedback on whether this a reasonable use of ESI and why I might be getting the infinite loop.
02-17-2012 11:09 AM
It sounds like a reasonable use of ESI to me. It has been a few years, but as I recall from the design of the feature, it was intended to have a packet come to the controller, get forwarded to the ESI server, then come back into the controller to get forwarded on to its destination. I would need to go back and look at notes on this this works to fully answer your question. Would it be possible to share more details around the design, including the ESI group configuration and a diagram of this portion of the network?
Jon Green, ACMX, CISSP
02-17-2012 12:23 PM - edited 02-17-2012 12:28 PM
Thank-you for the confirmation. Since posting this, I believe I fixed my problem. I had an asymmertic route between the controller and the firewall. That is the packet took one path/VLAN to the firewall and another path/VLAN back which I believe resulted in the following. The policy rule at the controller which forwards the packet is stateful. Therefore, when a packet first hits the policy, it is consider "forward" traffic and is redirected via an interface to the external firewall. If the packet comes back on the same interface, then it is considered as "reverse" and is not redirected. This is the correct behaviour for my configuration. In my case, the packet came back on another interface (VLAN) and was considered as "forward" again so the controller redirected the frame back to the external firewall, causing the infinite loop with TTL error. When I fixed the asymmertry, it appears to work OK.