HPE Community
Comware Based
1825578 Members
2390 Online
109682 Solutions
New Discussion

Security Zones + RAGG = Missing Packets

 
MikeM3
Occasional Contributor

‎10-11-2021 06:02 AM - last edited on ‎10-13-2021 12:15 AM by

‎10-11-2021 06:02 AM - last edited on ‎10-13-2021 12:15 AM by

Security Zones + RAGG = Missing Packets

With Haloween coming up, I suppose it is appropriate that I am facing an issue with some very mysterious "ghost packets", but hoping someone can help point me in the right direction here...

Configuration: 2x HSR6800 in IRF mode, with a Route Aggregation interface across four xge physical interfaces (two from each chassis, both on same card) to a pair of 5950s also in IRF and also with a matching Route Aggregation interface. Using a 192.168.x.x/29 between the two sides, as well as LACP.

Issue: When adding the RAGG interface to the Trust security zone, a ping from the router console to the switch RAGG IP fails. However, a ping from the switch to the router RAGG address is successful. Removing the RAGG from the zone on the router restores ping functionality on the router console (ping is successful).

Security zone pairs are set with "permit ip" settings added as follows:
Trust-Local
Local-Trust
Local-Local
Trust-Trust

Also have added an aspf policy (with no protocols selected) to each zone pair to aid in debugging this.

I have tried having all four physical interfaces in the Trust zone and removed from the Trust zone with no impact on this behavior.

I have also tested a second set of four physical interfaces in a different slot (again 2 per chassis) containing a different card type, but otherwise identically configured, and have observed the same result.

Observations:

Router NTP client can successfully sync to an NTP server connected to the 5950s. Aspf sessions are created and logged with the outgoing address that of the RAGG interface on the router.

While running remote packet capture (to wireshark) on the router interface(s), I can see

  • ping request packets from the switch to the router when initiating ping requests from the switch console, but no responses.  However, switch console logs successful ping responses.
  • ping response packets from the switch to the router when initiating ping resquests from the router console, but not out-going ping packets. However, despite the packets transiting the physical interface, he router console records all pings as failed (100% loss).

Using "display aspf session", I can see an ICMP session created for the ping sourced from the router, but not for the return traffic. I can also see sessions for the ping sourced from the switch with the router RAGG interface listed as the "source" interface and the RAGG IP address listed as the destination IP as expected.

Adding a "permit icmp" as the first step of the acl used on all zone pairs, and then looking at rule counters, I note that the ICMP rule counter will increment for both the request & response (i.e. by 10 for a default 5 request ping run) when pinging from the router console. So the ACL at least is seeing and matching the packets.

-------

So, as you can see, I'm at a bit of a loss here - the packets are being sent from the router, but then dropped on the response. Or, conversely, I have packets somehow transiting an interface but not being captured, which gives me pause as to whether the security zones are actually effective or traffic is somehow bypassing the security module.

In either case, this appears to be some sort of issue betwee security zones and route aggregation.  Any ideas for how to fix this or other troubleshooting approaches I should try...? Is there any special configuration needed with using RAGG with zones?

Thanks!

1 person had this problem.
0 Kudos
2 REPLIES 2
akg7
HPE Pro

‎10-12-2021 07:23 PM

‎10-12-2021 07:23 PM

Re: Security Zones + RAGG = Missing Packets

Hello,

Can you share network topology and display log from both stacks?

Thanks!
Note: While I am an HPE Employee, all of my comments (whether noted or not), are my own and are not any official representation of the companyAccept or Kudo
0 Kudos
MikeM3
Occasional Contributor

‎10-15-2021 07:14 PM

‎10-15-2021 07:14 PM

Re: Security Zones + RAGG = Missing Packets

Hi,

Here's a graphical view of the general network architecture as it relates to the routers and adjacent switches.

Screenshot 2021-10-15 205727.jpg

 

 

 

 

 

 

 

 

Log buffer: Enabled
Max buffer size: 1024
Actual buffer size: 512
Dropped messages: 0
Overwritten messages: 864
Current messages: 512
%Oct 16 02:05:53:520 2021 HPE SHELL/6/SHELL_CMD: -Line=con1/0-IPAddr=**-User=**; Command is display security-zone
%Oct 16 02:05:43:694 2021 HPE PING/6/PING_STATISTICS: Ping statistics for 192.168.1.1: 5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss.
%Oct 16 02:05:32:665 2021 HPE SHELL/6/SHELL_CMD: -Line=con1/0-IPAddr=**-User=**; Command is ping 192.168.1.1
%Oct 16 02:05:29:655 2021 HPE SHELL/6/SHELL_CMD: -Line=con1/0-IPAddr=**-User=**; Command is quit
%Oct 16 02:05:28:256 2021 HPE SHELL/6/SHELL_CMD: -Line=con1/0-IPAddr=**-User=**; Command is import interface Route-Aggregation 1
%Oct 16 02:05:16:332 2021 HPE SHELL/6/SHELL_CMD: -Line=con1/0-IPAddr=**-User=**; Command is security-zone name Trust
%Oct 16 02:05:09:702 2021 HPE PING/6/PING_STATISTICS: Ping statistics for 192.168.1.1: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 1.017/1.078/1.180/0.055 ms.
%Oct 16 02:05:08:872 2021 HPE SHELL/6/SHELL_CMD: -Line=con1/0-IPAddr=**-User=**; Command is ping 192.168.1.1
%Oct 16 02:04:56:665 2021 HPE SHELL/6/SHELL_CMD: -Line=con1/0-IPAddr=**-User=**; Command is quit
%Oct 16 02:04:54:187 2021 HPE SHELL/6/SHELL_CMD: -Line=con1/0-IPAddr=**-User=**; Command is undo import interface Route-Aggregation 1
%Oct 16 02:04:43:554 2021 HPE SHELL/6/SHELL_CMD: -Line=con1/0-IPAddr=**-User=**; Command is security-zone name Trust
%Oct 16 02:04:33:620 2021 HPE SHELL/6/SHELL_CMD: -Line=con1/0-IPAddr=**-User=**; Command is system-view

 

Security Zones:

[HPE]display security-zone
Name: Local
Members:
  None

Name: Trust
Members:
  Ten-GigabitEthernet1/2/0/0
  Ten-GigabitEthernet1/2/0/1
  Ten-GigabitEthernet2/2/0/0
  Ten-GigabitEthernet2/2/0/1
  Route-Aggregation1

Name: DMZ
Members:
  Ten-GigabitEthernet1/3/0/0
  Ten-GigabitEthernet1/3/0/1
  Ten-GigabitEthernet2/3/0/0
  Ten-GigabitEthernet2/3/0/1
  Route-Aggregation2

Name: Untrust
Members:
  None

Name: Management
Members:
  M-GigabitEthernet1/0/0/0

 

Let me know if there are any questions on this.  Thanks for taking a look!

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.