Packets silently dropped due to rp_filter in asymmetric routing environments
Article ID: 168060
Packet drop due to the rp_filter parameter in asymmetric routing , Check Point firewall.If a network is configured for asymmetric routing, you will likely see traffic being dropped between hosts on that network. The symptoms are:
1) A packet comes into a network interface on a VAP 2) fw monitor reports the packet is preprocesed (i, I) 3) Packet is accepted by Check Point (Log shows an accept, not a drop) 4) Packet does not get sent out, and a Check Point log message appears: loopback: address spoofing 5) fw monitor never sees an output packet (o, O)
Eliminate the drops.
This occurs even when Check Point is configured to accept out-of-state TCP connections, and when IP spoofing protection is turned off on all interfaces. It will also occur with a single VAP active.
The reason for the packets being discarded lies in a kernel-level parameter called 'rp_filter', which is part of the routing stack. This parameter stands for 'Reverse Path Filter', and it is used to prevent IP spoofing attacks. Generally, this parameter is used in conjunction with iptables, but it is turned on by default in Red Hat Linux.
This parameter can be modified in realtime by entering these commands: