Comware

 View Only
last person joined: yesterday 

Expand all | Collapse all

Security Zones + RAGG = Missing Packets

This thread has been viewed 6 times
  • 1.  Security Zones + RAGG = Missing Packets

    Posted Oct 11, 2021 09:03 AM

    With Haloween coming up, I suppose it is appropriate that I am facing an issue with some very mysterious "ghost packets", but hoping someone can help point me in the right direction here...

    Configuration: 2x HSR6800 in IRF mode, with a Route Aggregation interface across four xge physical interfaces (two from each chassis, both on same card) to a pair of 5950s also in IRF and also with a matching Route Aggregation interface. Using a 192.168.x.x/29 between the two sides, as well as LACP.

    Issue: When adding the RAGG interface to the Trust security zone, a ping from the router console to the switch RAGG IP fails. However, a ping from the switch to the router RAGG address is successful. Removing the RAGG from the zone on the router restores ping functionality on the router console (ping is successful).

    Security zone pairs are set with "permit ip" settings added as follows:
    Trust-Local
    Local-Trust
    Local-Local
    Trust-Trust

    Also have added an aspf policy (with no protocols selected) to each zone pair to aid in debugging this.

    I have tried having all four physical interfaces in the Trust zone and removed from the Trust zone with no impact on this behavior.

    I have also tested a second set of four physical interfaces in a different slot (again 2 per chassis) containing a different card type, but otherwise identically configured, and have observed the same result.

    Observations:

    Router NTP client can successfully sync to an NTP server connected to the 5950s. Aspf sessions are created and logged with the outgoing address that of the RAGG interface on the router.

    While running remote packet capture (to wireshark) on the router interface(s), I can see

    • ping request packets from the switch to the router when initiating ping requests from the switch console, but no responses.  However, switch console logs successful ping responses.
    • ping response packets from the switch to the router when initiating ping resquests from the router console, but not out-going ping packets. However, despite the packets transiting the physical interface, he router console records all pings as failed (100% loss).

    Using "display aspf session", I can see an ICMP session created for the ping sourced from the router, but not for the return traffic. I can also see sessions for the ping sourced from the switch with the router RAGG interface listed as the "source" interface and the RAGG IP address listed as the destination IP as expected.

    Adding a "permit icmp" as the first step of the acl used on all zone pairs, and then looking at rule counters, I note that the ICMP rule counter will increment for both the request & response (i.e. by 10 for a default 5 request ping run) when pinging from the router console. So the ACL at least is seeing and matching the packets.

    -------

    So, as you can see, I'm at a bit of a loss here - the packets are being sent from the router, but then dropped on the response. Or, conversely, I have packets somehow transiting an interface but not being captured, which gives me pause as to whether the security zones are actually effective or traffic is somehow bypassing the security module.

    In either case, this appears to be some sort of issue betwee security zones and route aggregation.  Any ideas for how to fix this or other troubleshooting approaches I should try...? Is there any special configuration needed with using RAGG with zones?

    Thanks!


    #Switch_Router_Interconnect
    #Commware


  • 2.  RE: Security Zones + RAGG = Missing Packets

    Posted Oct 12, 2021 10:24 PM
    Hello,

    Can you share network topology and display log from both stacks?

    Thanks!


  • 3.  RE: Security Zones + RAGG = Missing Packets

    Posted Oct 15, 2021 10:15 PM

    Hi,

    Here's a graphical view of the general network architecture as it relates to the routers and adjacent switches.

    Screenshot 2021-10-15 205727.jpg

     

     

     

     

     

     

     

     

    Log buffer: Enabled
    Max buffer size: 1024
    Actual buffer size: 512
    Dropped messages: 0
    Overwritten messages: 864
    Current messages: 512
    %Oct 16 02:05:53:520 2021 HPE SHELL/6/SHELL_CMD: -Line=con1/0-IPAddr=**-User=**; Command is display security-zone
    %Oct 16 02:05:43:694 2021 HPE PING/6/PING_STATISTICS: Ping statistics for 192.168.1.1: 5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss.
    %Oct 16 02:05:32:665 2021 HPE SHELL/6/SHELL_CMD: -Line=con1/0-IPAddr=**-User=**; Command is ping 192.168.1.1
    %Oct 16 02:05:29:655 2021 HPE SHELL/6/SHELL_CMD: -Line=con1/0-IPAddr=**-User=**; Command is quit
    %Oct 16 02:05:28:256 2021 HPE SHELL/6/SHELL_CMD: -Line=con1/0-IPAddr=**-User=**; Command is import interface Route-Aggregation 1
    %Oct 16 02:05:16:332 2021 HPE SHELL/6/SHELL_CMD: -Line=con1/0-IPAddr=**-User=**; Command is security-zone name Trust
    %Oct 16 02:05:09:702 2021 HPE PING/6/PING_STATISTICS: Ping statistics for 192.168.1.1: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 1.017/1.078/1.180/0.055 ms.
    %Oct 16 02:05:08:872 2021 HPE SHELL/6/SHELL_CMD: -Line=con1/0-IPAddr=**-User=**; Command is ping 192.168.1.1
    %Oct 16 02:04:56:665 2021 HPE SHELL/6/SHELL_CMD: -Line=con1/0-IPAddr=**-User=**; Command is quit
    %Oct 16 02:04:54:187 2021 HPE SHELL/6/SHELL_CMD: -Line=con1/0-IPAddr=**-User=**; Command is undo import interface Route-Aggregation 1
    %Oct 16 02:04:43:554 2021 HPE SHELL/6/SHELL_CMD: -Line=con1/0-IPAddr=**-User=**; Command is security-zone name Trust
    %Oct 16 02:04:33:620 2021 HPE SHELL/6/SHELL_CMD: -Line=con1/0-IPAddr=**-User=**; Command is system-view

     

    Security Zones:

    [HPE]display security-zone
    Name: Local
    Members:
      None
    
    Name: Trust
    Members:
      Ten-GigabitEthernet1/2/0/0
      Ten-GigabitEthernet1/2/0/1
      Ten-GigabitEthernet2/2/0/0
      Ten-GigabitEthernet2/2/0/1
      Route-Aggregation1
    
    Name: DMZ
    Members:
      Ten-GigabitEthernet1/3/0/0
      Ten-GigabitEthernet1/3/0/1
      Ten-GigabitEthernet2/3/0/0
      Ten-GigabitEthernet2/3/0/1
      Route-Aggregation2
    
    Name: Untrust
    Members:
      None
    
    Name: Management
    Members:
      M-GigabitEthernet1/0/0/0

     

    Let me know if there are any questions on this.  Thanks for taking a look!



  • 4.  RE: Security Zones + RAGG = Missing Packets

    Posted Nov 23, 2021 07:23 PM
    Hi, now that this is over on the Aruba forums, I thought I would bump it to see if anyone has any insight into this issue and how to resolve it...?

    Thanks!