Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Hairpinning traffic out the same interface

Reply
Thread Tools

Hairpinning traffic out the same interface

 
 
patrickjmurphy@gmail.com
Guest
Posts: n/a
 
      01-29-2009
Hello All:

We are in the middle of a migration and currently our remote site
hosts point to a firewall for their default gateway. The site is just
one subnet/flat LAN. We are changing that so that a newly installed
router is the default gateway. The router has an interface on the
same subnet/LAN as the firewall. On the router, we have a default
static route point to the firewall. So, when traffic is initiated, it
will hit the router first and then hairpin back out the same interface
to the firewall.

When we change the default gateway to the router, the host appears to
operate ok. However, after awhile (30mins or more), traffic appears
to stop flowing. I've tried it with ip redirects on and off. I know
I am missing something simple. Could it be that the firewall does not
like part of the flow to come through the router?

Any help is much appreciated!

Thanks,
Patrick
 
Reply With Quote
 
 
 
 
Thrill5
Guest
Posts: n/a
 
      01-30-2009

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hello All:
>
> We are in the middle of a migration and currently our remote site
> hosts point to a firewall for their default gateway. The site is just
> one subnet/flat LAN. We are changing that so that a newly installed
> router is the default gateway. The router has an interface on the
> same subnet/LAN as the firewall. On the router, we have a default
> static route point to the firewall. So, when traffic is initiated, it
> will hit the router first and then hairpin back out the same interface
> to the firewall.
>
> When we change the default gateway to the router, the host appears to
> operate ok. However, after awhile (30mins or more), traffic appears
> to stop flowing. I've tried it with ip redirects on and off. I know
> I am missing something simple. Could it be that the firewall does not
> like part of the flow to come through the router?
>
> Any help is much appreciated!
>
> Thanks,
> Patrick


What is probably happening is that the firewall is getting confused about
the MAC addresses of the clients. The MAC address of the clients' IP
addresses are seen as the MAC address of the router, but if the firewall
ARPs the IP the client will reply and it will change, It will then see the
source MAC of client's IP as the router again the next time the router
forwards a packet for the client. The firewall could be seeing this as some
type of MAC DoS attach or some other problem. This is only speculation and
you need to confirm this by looking at the firewall logs and checking the
ARP cache on the firewall. My suggestion is to put the firewall on a
different subnet, as this will definately fix the problem. Hairpinning IP
traffic is a VERY BAD practice and should be avoided at all costs because it
can cause weird unexpected behaviour, just as you are seeing.


 
Reply With Quote
 
 
 
 
patrickjmurphy@gmail.com
Guest
Posts: n/a
 
      01-30-2009
On Jan 30, 1:19*am, "Thrill5" <(E-Mail Removed)> wrote:
> <(E-Mail Removed)> wrote in message
>
> news:(E-Mail Removed)...
>
>
>
>
>
> > Hello All:

>
> > We are in the middle of a migration and currently our remote site
> > hosts point to a firewall for their default gateway. *The site is just
> > one subnet/flat LAN. *We are changing that so that a newly installed
> > router is the default gateway. *The router has an interface on the
> > same subnet/LAN as the firewall. *On the router, we have a default
> > static route point to the firewall. *So, when traffic is initiated, it
> > will hit the router first and then hairpin back out the same interface
> > to the firewall.

>
> > When we change the default gateway to the router, the host appears to
> > operate ok. *However, after awhile (30mins or more), traffic appears
> > to stop flowing. *I've tried it with ip redirects on and off. *I know
> > I am missing something simple. *Could it be that the firewall does not
> > like part of the flow to come through the router?

>
> > Any help is much appreciated!

>
> > Thanks,
> > Patrick

>
> What is probably happening is that the firewall is getting confused about
> the MAC addresses of the clients. The MAC address of the clients' IP
> addresses are seen as the MAC address of the router, but if the firewall
> ARPs the IP the client will reply and it will change, It will then see the
> source MAC of client's IP as the router again the next time the router
> forwards a packet for the client. *The firewall could be seeing this as some
> type of MAC DoS attach or some other problem. This is only speculation and
> you need to confirm this by looking at the firewall logs and checking the
> ARP cache on the firewall. *My suggestion is to put the firewall on a
> different subnet, as this will definately fix the problem. Hairpinning IP
> traffic is a VERY BAD practice and should be avoided at all costs because it
> can cause weird unexpected behaviour, just as you are seeing.- Hide quoted text -
>
> - Show quoted text -


Thanks for the help. I definately agree, this is not a recommended
design, but we don't have access to the firewall and/or are not able
to make changes to them. It makes sense what you said about the
firewall thinking it is a DoS because of the different MACs. I have
made a temporary work around for the few servers that are having the
issue. We've added some persistant routes to the servers. I know, I
don't like it either, but it will get us through the migration period
when the firewall will get removed. Thanks again.

Patrick
 
Reply With Quote
 
bod43
Guest
Posts: n/a
 
      01-31-2009
On 30 Jan, 20:29, (E-Mail Removed) wrote:
> On Jan 30, 1:19*am, "Thrill5" <(E-Mail Removed)> wrote:
>
>
>
>
>
> > <(E-Mail Removed)> wrote in message

>
> >news:(E-Mail Removed)....

>
> > > Hello All:

>
> > > We are in the middle of a migration and currently our remote site
> > > hosts point to a firewall for their default gateway. *The site is just
> > > one subnet/flat LAN. *We are changing that so that a newly installed
> > > router is the default gateway. *The router has an interface on the
> > > same subnet/LAN as the firewall. *On the router, we have a default
> > > static route point to the firewall. *So, when traffic is initiated, it
> > > will hit the router first and then hairpin back out the same interface
> > > to the firewall.

>
> > > When we change the default gateway to the router, the host appears to
> > > operate ok. *However, after awhile (30mins or more), traffic appears
> > > to stop flowing. *I've tried it with ip redirects on and off. *I know
> > > I am missing something simple. *Could it be that the firewall does not
> > > like part of the flow to come through the router?

>
> > > Any help is much appreciated!

>
> > > Thanks,
> > > Patrick

>
> > What is probably happening is that the firewall is getting confused about
> > the MAC addresses of the clients. The MAC address of the clients' IP
> > addresses are seen as the MAC address of the router, but if the firewall
> > ARPs the IP the client will reply and it will change, It will then see the
> > source MAC of client's IP as the router again the next time the router
> > forwards a packet for the client. *The firewall could be seeing this as some
> > type of MAC DoS attach or some other problem. This is only speculation and
> > you need to confirm this by looking at the firewall logs and checking the
> > ARP cache on the firewall. *My suggestion is to put the firewall on a
> > different subnet, as this will definately fix the problem. Hairpinning IP
> > traffic is a VERY BAD practice and should be avoided at all costs because it
> > can cause weird unexpected behaviour, just as you are seeing.- Hide quoted text -

>
> > - Show quoted text -

>
> Thanks for the help. *I definately agree, this is not a recommended
> design, but we don't have access to the firewall and/or are not able
> to make changes to them. *It makes sense what you said about the
> firewall thinking it is a DoS because of the different MACs. *I have
> made a temporary work around for the few servers that are having the
> issue. *We've added some persistant routes to the servers. *I know, I
> don't like it either, but it will get us through the migration period
> when the firewall will get removed. *Thanks again.


About the only thing that springs to mind is that you
may have a duplicate IP address with the new gateway.

I have not worked with many different kinds of firewall
in depth, checkpoint firewall1 and cisco router and pix only,
however since a firewall is a L3+ device I cannot see any
firewall caring about mac addresses. I have certainly
never heard of it or encountered it.

When it stops working check the arp tables
to check for duplicate IP's. Record them when they
are working and then verify when it breaks. Check
hosts, firewall, router.

I have used router on a stick a few times
for the purposes of migration and otherwise and had
no issues such as you are seeing.

Oh - unless maybe you have a load balancing
firewall cluster? I think it might be possible that
it could go wrong there.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
useing the through traffic interface for Failover interface Talal Cisco 0 06-06-2007 08:11 AM
Routing Question - How to send default internet traffic to PIX and VPN traffic from router out internet Evolution Cisco 1 02-27-2007 10:00 PM
command equivalent in PIX version 6.3 for the version 7.x command: same-security-traffic permit inter-interface Mike Rahl Cisco 6 12-12-2006 10:19 PM
same-security-traffic permit inter-interface PIX 501 cli 6.3 PIXn00b Cisco 0 11-07-2006 06:37 PM
static nat between phisical interface and virtual interface on same ethernet Andrea Cisco 0 04-19-2004 09:37 AM



Advertisments