Packets silently dropped due to rp_filter in asymmetric routing environments

book

Article ID: 168060

calendar_today

Updated On:

Products

XOS

Issue/Introduction

Packet drop due to the rp_filter parameter in asymmetric routing , Check Point firewall.If a network is configured for asymmetric routing, you will likely see traffic being dropped between hosts on that network. The symptoms are:

1) A packet comes into a network interface on a VAP
2) fw monitor reports the packet is preprocesed (i, I)
3) Packet is accepted by Check Point (Log shows an accept, not a drop)
4) Packet does not get sent out, and a Check Point log message appears:
    loopback: address spoofing
5) fw monitor never sees an output packet (o, O)

Cause

Eliminate the drops.

Resolution

This occurs even when Check Point is configured to accept out-of-state TCP connections, and when IP spoofing protection is turned off on all interfaces. It will also occur with a single VAP active.

The reason for the packets being discarded lies in a kernel-level parameter called 'rp_filter', which is part of the routing stack. This parameter stands for 'Reverse Path Filter', and it is used to prevent IP spoofing attacks. Generally, this parameter is used in conjunction with iptables, but it is turned on by default in Red Hat Linux.

This parameter can be modified in realtime by entering these commands:

echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter


Or, it can be made persistent by modifying /etc/sysctl.conf to include:
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0

NOTE: To be effective, these changes must be done on all members of the VAP group.

On new versions of XOS, you can disable the rp filter with "no rp-filter" command on a VAP group, from the Crossbeam CLI.

Another piece that you may want to enable in order to debug this situation is to add the following line to the /etc/sysctl.conf file:

net.ipv4.conf.all.log_martians=1

You can accomplish the same thing, but only temporarily by entering this command:

echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

This will log all of the connections considered to be from spoofed addresses to the /var/log/messages file.


Workaround

N/A