SurfControl not blocking across Cisco router

Discussion in 'Cisco' started by shane.dammen, Aug 10, 2006.

  1. shane.dammen

    shane.dammen Guest

    My apologies up front for the long post. In order to troubleshoot this
    I need to give quite a bit of background.

    We are using SurfControl at my company to monitor and filter web
    traffic. Inappropriate web traffic is correctly blocked for users on
    the same LAN as the SurfControl server, but across a router hop it is
    not working. The web surfing of the users across the router hop is
    being recorded correctly, so SurfControl sees it, but it is not being
    blocked.

    SurfControl works using a secondary NIC that is attached to a SPAN port
    that mirrors the traffic from my firewall's inside interface. When it
    sees traffic to a prohibited site, the SurfControl server spoofs the IP
    of the client and sends a RST packet to the web server from the SC
    server's primary NIC. It also spoofs the IP of the web server and
    sends an 'Access Denied' web page and a RST packet to the client. This
    works great for users on the same LAN as SurfControl, and it used to
    work fine over the router hop, but it doesn't work over the router hop
    any more. Unfortunately I can't pin down a date or event that caused
    this to stop working. Users usually don't tell us when it's not
    blocking. :)

    The SurfControl server is on a 6509 with a Sup720 running 12.2(18)SXF4.
    The 6509 has a virtual interface that is the default gateway for the
    LAN the SC server is on. The 6509 also has two gig fiber interfaces
    that make it part of a metro ring around our city. The router hop goes
    over the ring to a 6513, and I have verified through traces that the
    traffic is consistently taking the shortest path around the ring. The
    6513 also has a Sup720 with 12.2(18)SXF4.

    I sniffed the SurfControl primary NIC and surfed a forbidden page from
    a machine across the router hop and I verified that the SC server is
    sending out the RSTs as expected. I next sniffed the ring interface on
    the 6513 (the client side of the router hop) and verified that I'm not
    seeing the RST packets there. I then sniffed the ring interface on the
    6509 facing the 6513 and I did not see the RST packets. They don't
    appear to be leaving the 6509. When I look at the MAC addresses on the
    RST packets the destination MAC is the virtual router interface on the
    6513, so they should be going on the ring to the 6513. I checked the
    mac-address-table on the 6509 for that MAC and the 6509 knows traffic
    for that MAC should go out the ring interface. There is an access-list
    on the LAN gateway for the SC server, but it is only blocking Windows
    Networking. There are no access-lists on the ring interfaces.

    I am at a loss. If I was seeing the RST packets leave the 6509 and not
    get to the 6513 I would have all kinds of things to test, but I don't
    even see them leave the 6509. Any ideas?
     
    shane.dammen, Aug 10, 2006
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.