ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Proxy traffic outgoing through default interface after configuring routing domains

book

Article ID: 237240

calendar_today

Updated On:

Products

ISG Proxy ProxySG Software - SGOS ASG-S200 ASG-S400 ASG-S500

Issue/Introduction

After creating routing domains and adding routing entries, as specified in the guide below, still some proxy traffic is outgoing through the default routing domain interface:

https://techdocs.broadcom.com/content/dam/broadcom/techdocs/symantec-security-software/web-and-network-security/proxysg/7-1/generated-pdfs/RoutingDomains71.pdf

 

 

Cause

The configuration of routing domains has certain limitations to specific traffic and services, which can only use the default routing table. This limitation applies to the below traffic and services:

  • All ProxySG appliance management traffic.
  • WCCP configuration on the appliance.
  • VLANs, ICAP services, and forwarding hosts configured on the appliance.
  • All requests originating from the appliance (such as subscriptions, access log upload, and support case upload).

Environment

Note to add, if traffic comes in on a domain, it must leave on that same domain. Traffic is not supposed to traverse from one routing domain to another (even if default domain), and forwarding hosts only work in the default routing domain.

Page 3:
"Routing domains provide this segregation by partitioning network interfaces into disjoint groups that only allow traffic to be constrained to other interfaces in the same group. Traffic cannot traverse interfaces in different routing domains. Thus, network traffic is effectively segregated and can never cross routing domains"
  • Each routing domain object includes its own routing table that enforces Layer 3 segregation as follows:
  • Each routing table is associated with one or more logical interfaces.
  • IP traffic that arrives on these interfaces is subject to routing and forwarding decisions defined by the routing table.
  • Traffic never crosses multiple routing domains.

Resolution

This is expected behavior of the products, as designed.

Additional Information

Creating Multiple Logical Networks on a Single ProxySG Appliance with Routing Domains Guide:

https://techdocs.broadcom.com/content/dam/broadcom/techdocs/symantec-security-software/web-and-network-security/proxysg/7-1/generated-pdfs/RoutingDomains71.pdf