Packets silently dropped due to rp_filter in asymmetric routing environments
Article ID: 168060
Updated On:
Products
XOS
Issue/Introduction
Packet drop due to the rp_filter parameter in asymmetric routing , Check Point firewall.If a network is configured for asymmetric routing, you will likely see traffic being dropped between hosts on that network. The symptoms are:
1) A packet comes into a network interface on a VAP
2) fw monitor reports the packet is preprocesed (i, I)
3) Packet is accepted by Check Point (Log shows an accept, not a drop)
4) Packet does not get sent out, and a Check Point log message appears:
loopback: address spoofing
5) fw monitor never sees an output packet (o, O)
1) A packet comes into a network interface on a VAP
2) fw monitor reports the packet is preprocesed (i, I)
3) Packet is accepted by Check Point (Log shows an accept, not a drop)
4) Packet does not get sent out, and a Check Point log message appears:
loopback: address spoofing
5) fw monitor never sees an output packet (o, O)
Cause
Eliminate the drops.
Resolution
This occurs even when Check Point is configured to accept out-of-state TCP connections, and when IP spoofing protection is turned off on all interfaces. It will also occur with a single VAP active.
The reason for the packets being discarded lies in a kernel-level parameter called 'rp_filter', which is part of the routing stack. This parameter stands for 'Reverse Path Filter', and it is used to prevent IP spoofing attacks. Generally, this parameter is used in conjunction with iptables, but it is turned on by default in Red Hat Linux.
This parameter can be modified in realtime by entering these commands:
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
Or, it can be made persistent by modifying /etc/sysctl.conf to include:
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
NOTE: To be effective, these changes must be done on all members of the VAP group.
On new versions of XOS, you can disable the rp filter with "no rp-filter" command on a VAP group, from the Crossbeam CLI.
Another piece that you may want to enable in order to debug this situation is to add the following line to the /etc/sysctl.conf file:
net.ipv4.conf.all.log_martians=1
You can accomplish the same thing, but only temporarily by entering this command:
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
This will log all of the connections considered to be from spoofed addresses to the /var/log/messages file.
The reason for the packets being discarded lies in a kernel-level parameter called 'rp_filter', which is part of the routing stack. This parameter stands for 'Reverse Path Filter', and it is used to prevent IP spoofing attacks. Generally, this parameter is used in conjunction with iptables, but it is turned on by default in Red Hat Linux.
This parameter can be modified in realtime by entering these commands:
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
Or, it can be made persistent by modifying /etc/sysctl.conf to include:
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
NOTE: To be effective, these changes must be done on all members of the VAP group.
On new versions of XOS, you can disable the rp filter with "no rp-filter" command on a VAP group, from the Crossbeam CLI.
Another piece that you may want to enable in order to debug this situation is to add the following line to the /etc/sysctl.conf file:
net.ipv4.conf.all.log_martians=1
You can accomplish the same thing, but only temporarily by entering this command:
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
This will log all of the connections considered to be from spoofed addresses to the /var/log/messages file.
Workaround
N/AFeedback
Yes
No
Powered by
