search cancel

Why is the traffic hitting SameSide class and not the correct class?

book

Article ID: 239140

calendar_today

Updated On:

Products

PacketShaper S-Series

Issue/Introduction

In some network topologies, Traffic could hit SameSide class opposed to a regular class with the matching rules.

Cause

Depending on the network topology and how various hosts pass traffic in and out of the network, PS may see the same host as Inside or Outside host. This happens mostly in redundant topologies or if multiple NICs are in use and traffic goes through PS twice or if some users connect to internal servers using VPN, etc. 

PacketShaper maintains a hostdb table and mark hosts as Inside or Outside. If the PS sees the same host/IP sometimes on Inside and Outside on other times, PS will mark that host as Inside (Inside gets preference). If PacketShaper sees the traffic going from Inside host to another Inside host, that traffic will be classified under SameSide class.

Resolution

There are few ways to resolve this issue, here are some options:

A. If you know there should not be any LAN to LAN (Local) traffic going through the PS (i.e. all the traffic that flows through the PS is LAN to WAN traffic) the Sameside class with Ignore policy is not required. So you can do 'sys set autoCreateSameside 0' and then delete the Inbound/Sameside and Outbound/Sameside class. This is an easy solution but you have be certain that PS is not seeing any LAN to LAN traffic (via one arm routing through the Router or due to any other topology).

OR

B. In redundant topologies or when there is VPN based traffic, PS may see some of the external/outside hosts on the Inside (Packet from external host get to the Inside via some other path and then goes out through PS). When that happens, that host is already marked as an Inside host and the traffic between those hosts and the internal hosts (since both Inside hosts) will be classified as Sameside traffic. If hostdb entries are incorrect (often happens in redundant topologies) the hostdb will probably have to be locked down.  That involves setting hostdb learning to manual and defining an inside hostlist.

Steps/Options to fix incorrect hostdb sidedness:

1. hostdb side manual
2. 
a. Using Host list lock the internal subnets as Inside (as you may know your LAN subnets):

hl new inside_hosts
hl add inside_hosts 10.1.1.10                    (add inside hosts/subnets)
   
hostdb side set inside list:inside_hosts  (define "inside_hosts" as the inside list)

b. Using the entire internal subnets (easier option):

hostdb side set inside 10.0.0.0/8

PacketShaper# hostdb side set
Usage: hostdb side set inside|outside list:<hostlist>|<ip-addr>|<subnet>/<cidr>

3. sys set hostdbSidePrefer 2                       (if the same host is seen on Inside and Outside, prefer Outside or keep the address as Outside host; keep in mind we already marked all Inside hosts manually in step 2, rest has to be Outside).
 
4. hostdb side reset all                                  (clear the sidedness of any incorrectly learned hosts)

After you do the above, all your Inside hosts will remain as Inside and anything else will be evaluated and if that host is seen in Inside and Outside, we will keep that host as Outside. This should resolve the SameSide misclassification.