Log in

Sangfor Support Center

Table of Contents
< All Topics
Print

[AF] Local master-master deployment with inconsistent back-and-forth paths – customer Network environment issues (analysis)

Posted
Updated
Byadmin
Views2

Problem Description

The customer has two Local deployed in a master-master configuration (replacing the original firewalls from other manufacturers). The server has two Network Segment, one is 5.0 and the other is 7.0.
Local was put into operation, services on segment 5.0 were normal, but services on segment 7.0 were inaccessible. After global direct access was enabled, services on segment 7.0 were restored.

Warning Info

Through the Local function in the firewall Troubleshooting function, it was found that the data packets to the .7 Network Segment were blocked by the default application control

Effective troubleshooting steps

  1. First, it may be that in the dual-active mode of the Local, the data packet may enter from one Local and exit from another Local, resulting in access anomalies due to inconsistent round-trip paths.
    Disconnect one of the Local to avoid problems due to inconsistent round-trip paths. When running with a single device, the phenomenon is consistent;

  2. It is suspected that there is a problem with Local software (because Local is version 8.0.71 of Xinchuang, it has not yet been launched, and other problems have occurred before). I suspect Local intercepted the return packet. Therefore, a testing strategy was Policies. Allow packets from segment 7 to the external network, and reject packets from the external network to the internal network** (due to the same Sessions, the Sessions mechanism will be used by default, and the return packets from the external network to the internal network will not match the application control Policies). According to the test results, the return packet matches the application control Policies**

  3. Troubleshoot specific problems through packet capture analysis
    By capturing the Local from the external and internal network ports of the firewall, we analyzed and found the problem. The source and destination MAC Address of the packets sent by the device are inconsistent with the source and MAC Address.
    Outgoing packages

Return Package

After carefully checking the customer's Network, we found that Sensitive huge problems with the customer's Network, which caused inconsistent round-trip paths for return packets.

Root cause

Due to the customer's Network environment, the MAC Address changed when the packet was returned, resulting in Sessions being different. Therefore, the following rejection policy was matched, and the problem of our Local intercepting the return packet occurred. In fact, at this time, the reply packet has been identified by Local as a new Sessions

solution

Assist customers to conduct network troubleshooting and solve the problem of inconsistent back and forth paths in the network

Suggestions and Conclusion

  1. Analyze Medium the interception is performed through the modules in troubleshooting
  2. Reproduce the phenomenon through the tested IP and capture the data packets for analysis

Original Link

https://support.sangfor.com.cn/cases/list?product_id=13&type=1&category_id=1982&isOpen=true