Hairpinning traffic out the same interface

Discussion in 'Cisco' started by patrickjmurphy@gmail.com, Jan 29, 2009.

  1. Guest

    Hello All:

    We are in the middle of a migration and currently our remote site
    hosts point to a firewall for their default gateway. The site is just
    one subnet/flat LAN. We are changing that so that a newly installed
    router is the default gateway. The router has an interface on the
    same subnet/LAN as the firewall. On the router, we have a default
    static route point to the firewall. So, when traffic is initiated, it
    will hit the router first and then hairpin back out the same interface
    to the firewall.

    When we change the default gateway to the router, the host appears to
    operate ok. However, after awhile (30mins or more), traffic appears
    to stop flowing. I've tried it with ip redirects on and off. I know
    I am missing something simple. Could it be that the firewall does not
    like part of the flow to come through the router?

    Any help is much appreciated!

    Thanks,
    Patrick
     
    , Jan 29, 2009
    #1
    1. Advertising

  2. Thrill5 Guest

    <> wrote in message
    news:...
    > Hello All:
    >
    > We are in the middle of a migration and currently our remote site
    > hosts point to a firewall for their default gateway. The site is just
    > one subnet/flat LAN. We are changing that so that a newly installed
    > router is the default gateway. The router has an interface on the
    > same subnet/LAN as the firewall. On the router, we have a default
    > static route point to the firewall. So, when traffic is initiated, it
    > will hit the router first and then hairpin back out the same interface
    > to the firewall.
    >
    > When we change the default gateway to the router, the host appears to
    > operate ok. However, after awhile (30mins or more), traffic appears
    > to stop flowing. I've tried it with ip redirects on and off. I know
    > I am missing something simple. Could it be that the firewall does not
    > like part of the flow to come through the router?
    >
    > Any help is much appreciated!
    >
    > Thanks,
    > Patrick


    What is probably happening is that the firewall is getting confused about
    the MAC addresses of the clients. The MAC address of the clients' IP
    addresses are seen as the MAC address of the router, but if the firewall
    ARPs the IP the client will reply and it will change, It will then see the
    source MAC of client's IP as the router again the next time the router
    forwards a packet for the client. The firewall could be seeing this as some
    type of MAC DoS attach or some other problem. This is only speculation and
    you need to confirm this by looking at the firewall logs and checking the
    ARP cache on the firewall. My suggestion is to put the firewall on a
    different subnet, as this will definately fix the problem. Hairpinning IP
    traffic is a VERY BAD practice and should be avoided at all costs because it
    can cause weird unexpected behaviour, just as you are seeing.
     
    Thrill5, Jan 30, 2009
    #2
    1. Advertising

  3. Guest

    On Jan 30, 1:19 am, "Thrill5" <> wrote:
    > <> wrote in message
    >
    > news:...
    >
    >
    >
    >
    >
    > > Hello All:

    >
    > > We are in the middle of a migration and currently our remote site
    > > hosts point to a firewall for their default gateway.  The site is just
    > > one subnet/flat LAN.  We are changing that so that a newly installed
    > > router is the default gateway.  The router has an interface on the
    > > same subnet/LAN as the firewall.  On the router, we have a default
    > > static route point to the firewall.  So, when traffic is initiated, it
    > > will hit the router first and then hairpin back out the same interface
    > > to the firewall.

    >
    > > When we change the default gateway to the router, the host appears to
    > > operate ok.  However, after awhile (30mins or more), traffic appears
    > > to stop flowing.  I've tried it with ip redirects on and off.  I know
    > > I am missing something simple.  Could it be that the firewall does not
    > > like part of the flow to come through the router?

    >
    > > Any help is much appreciated!

    >
    > > Thanks,
    > > Patrick

    >
    > What is probably happening is that the firewall is getting confused about
    > the MAC addresses of the clients. The MAC address of the clients' IP
    > addresses are seen as the MAC address of the router, but if the firewall
    > ARPs the IP the client will reply and it will change, It will then see the
    > source MAC of client's IP as the router again the next time the router
    > forwards a packet for the client.  The firewall could be seeing this as some
    > type of MAC DoS attach or some other problem. This is only speculation and
    > you need to confirm this by looking at the firewall logs and checking the
    > ARP cache on the firewall.  My suggestion is to put the firewall on a
    > different subnet, as this will definately fix the problem. Hairpinning IP
    > traffic is a VERY BAD practice and should be avoided at all costs because it
    > can cause weird unexpected behaviour, just as you are seeing.- Hide quoted text -
    >
    > - Show quoted text -


    Thanks for the help. I definately agree, this is not a recommended
    design, but we don't have access to the firewall and/or are not able
    to make changes to them. It makes sense what you said about the
    firewall thinking it is a DoS because of the different MACs. I have
    made a temporary work around for the few servers that are having the
    issue. We've added some persistant routes to the servers. I know, I
    don't like it either, but it will get us through the migration period
    when the firewall will get removed. Thanks again.

    Patrick
     
    , Jan 30, 2009
    #3
  4. bod43 Guest

    On 30 Jan, 20:29, wrote:
    > On Jan 30, 1:19 am, "Thrill5" <> wrote:
    >
    >
    >
    >
    >
    > > <> wrote in message

    >
    > >news:....

    >
    > > > Hello All:

    >
    > > > We are in the middle of a migration and currently our remote site
    > > > hosts point to a firewall for their default gateway.  The site is just
    > > > one subnet/flat LAN.  We are changing that so that a newly installed
    > > > router is the default gateway.  The router has an interface on the
    > > > same subnet/LAN as the firewall.  On the router, we have a default
    > > > static route point to the firewall.  So, when traffic is initiated, it
    > > > will hit the router first and then hairpin back out the same interface
    > > > to the firewall.

    >
    > > > When we change the default gateway to the router, the host appears to
    > > > operate ok.  However, after awhile (30mins or more), traffic appears
    > > > to stop flowing.  I've tried it with ip redirects on and off.  I know
    > > > I am missing something simple.  Could it be that the firewall does not
    > > > like part of the flow to come through the router?

    >
    > > > Any help is much appreciated!

    >
    > > > Thanks,
    > > > Patrick

    >
    > > What is probably happening is that the firewall is getting confused about
    > > the MAC addresses of the clients. The MAC address of the clients' IP
    > > addresses are seen as the MAC address of the router, but if the firewall
    > > ARPs the IP the client will reply and it will change, It will then see the
    > > source MAC of client's IP as the router again the next time the router
    > > forwards a packet for the client.  The firewall could be seeing this as some
    > > type of MAC DoS attach or some other problem. This is only speculation and
    > > you need to confirm this by looking at the firewall logs and checking the
    > > ARP cache on the firewall.  My suggestion is to put the firewall on a
    > > different subnet, as this will definately fix the problem. Hairpinning IP
    > > traffic is a VERY BAD practice and should be avoided at all costs because it
    > > can cause weird unexpected behaviour, just as you are seeing.- Hide quoted text -

    >
    > > - Show quoted text -

    >
    > Thanks for the help.  I definately agree, this is not a recommended
    > design, but we don't have access to the firewall and/or are not able
    > to make changes to them.  It makes sense what you said about the
    > firewall thinking it is a DoS because of the different MACs.  I have
    > made a temporary work around for the few servers that are having the
    > issue.  We've added some persistant routes to the servers.  I know, I
    > don't like it either, but it will get us through the migration period
    > when the firewall will get removed.  Thanks again.


    About the only thing that springs to mind is that you
    may have a duplicate IP address with the new gateway.

    I have not worked with many different kinds of firewall
    in depth, checkpoint firewall1 and cisco router and pix only,
    however since a firewall is a L3+ device I cannot see any
    firewall caring about mac addresses. I have certainly
    never heard of it or encountered it.

    When it stops working check the arp tables
    to check for duplicate IP's. Record them when they
    are working and then verify when it breaks. Check
    hosts, firewall, router.

    I have used router on a stick a few times
    for the purposes of migration and otherwise and had
    no issues such as you are seeing.

    Oh - unless maybe you have a load balancing
    firewall cluster? I think it might be possible that
    it could go wrong there.
     
    bod43, Jan 31, 2009
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andrea
    Replies:
    0
    Views:
    886
    Andrea
    Apr 19, 2004
  2. AnyBody43
    Replies:
    4
    Views:
    5,500
    AnyBody43
    Aug 11, 2004
  3. PIXn00b
    Replies:
    0
    Views:
    2,193
    PIXn00b
    Nov 7, 2006
  4. Evolution
    Replies:
    1
    Views:
    879
    Walter Roberson
    Feb 27, 2007
  5. Talal
    Replies:
    0
    Views:
    404
    Talal
    Jun 6, 2007
Loading...

Share This Page