With Haloween coming up, I suppose it is appropriate that I am facing an issue with some very mysterious "ghost packets", but hoping someone can help point me in the right direction here...
Configuration: 2x HSR6800 in IRF mode, with a Route Aggregation interface across four xge physical interfaces (two from each chassis, both on same card) to a pair of 5950s also in IRF and also with a matching Route Aggregation interface. Using a 192.168.x.x/29 between the two sides, as well as LACP.
Issue: When adding the RAGG interface to the Trust security zone, a ping from the router console to the switch RAGG IP fails. However, a ping from the switch to the router RAGG address is successful. Removing the RAGG from the zone on the router restores ping functionality on the router console (ping is successful).
Security zone pairs are set with "permit ip" settings added as follows:
Trust-Local
Local-Trust
Local-Local
Trust-Trust
Also have added an aspf policy (with no protocols selected) to each zone pair to aid in debugging this.
I have tried having all four physical interfaces in the Trust zone and removed from the Trust zone with no impact on this behavior.
I have also tested a second set of four physical interfaces in a different slot (again 2 per chassis) containing a different card type, but otherwise identically configured, and have observed the same result.
Observations:
Router NTP client can successfully sync to an NTP server connected to the 5950s. Aspf sessions are created and logged with the outgoing address that of the RAGG interface on the router.
While running remote packet capture (to wireshark) on the router interface(s), I can see
- ping request packets from the switch to the router when initiating ping requests from the switch console, but no responses. However, switch console logs successful ping responses.
- ping response packets from the switch to the router when initiating ping resquests from the router console, but not out-going ping packets. However, despite the packets transiting the physical interface, he router console records all pings as failed (100% loss).
Using "display aspf session", I can see an ICMP session created for the ping sourced from the router, but not for the return traffic. I can also see sessions for the ping sourced from the switch with the router RAGG interface listed as the "source" interface and the RAGG IP address listed as the destination IP as expected.
Adding a "permit icmp" as the first step of the acl used on all zone pairs, and then looking at rule counters, I note that the ICMP rule counter will increment for both the request & response (i.e. by 10 for a default 5 request ping run) when pinging from the router console. So the ACL at least is seeing and matching the packets.
-------
So, as you can see, I'm at a bit of a loss here - the packets are being sent from the router, but then dropped on the response. Or, conversely, I have packets somehow transiting an interface but not being captured, which gives me pause as to whether the security zones are actually effective or traffic is somehow bypassing the security module.
In either case, this appears to be some sort of issue betwee security zones and route aggregation. Any ideas for how to fix this or other troubleshooting approaches I should try...? Is there any special configuration needed with using RAGG with zones?
Thanks!
#Switch_Router_Interconnect#Commware