Another weird Anti Spoofing Issue

[Dom c]

Got another weird anti spoofing issue...

We have an interface set up as 172.19.1.113/22, traffic destined for this /22 network passes except 172.19.1.128/27 which is dropped by anti spoofing.
This network is not defined anywhere else on the firewall in the routing or topology..
Any ideas ??
Cheers

[mcnallym]

It's not part of a remote encryption domain is it ?

[Dom c]

Alas no, there is no other reference to that range..
I have taken support on this issue and the person that configured it is not in this week.
I think in the intial setup, the interface may have been configured wrong and this /27 has been bound in the kernel somewhere.
I will try and get an outage to reboot the system and hope that clears it..

[dsb.nepo]

Maybe it is defined at some other object.

quick search:

Code:

cd $FWDIR/conf
grep 172.19.1 objects_5_0.C

[vijayant]

Hi

Please check the Route on the Firewall module if it is routed to some other interface

[MarioL]

If I was you I'd double check the logs, make sure what interface is dropping the traffic, etc. Maybe there is a routing problem somewhere.

[rokudan]

In topology > Edit Interface > Topology Tab.... Have you setup a group of objects behind that interface? If not create a group for that interface, and add the IP's/Networks of what is behind it...

[chuachongchee]

Quote:

Originally Posted by rokudan

In topology > Edit Interface > Topology Tab.... Have you setup a group of objects behind that interface? If not create a group for that interface, and add the IP's/Networks of what is behind it...

This happens with 3rd party clusters...

In cluster objects, in NGAI versions we can do "Get Interfaces", in NGX for 3rd party clusters its "get interfaces with topology". This will check the interfaces as well as defined routes as well, it will create the antispoof for you, if you have only one network, it will be "internal", specific <network>.. If you have some defined static routes, it will create a group object for you and define antispoof automatically.. all this happens in the background without you even knowing it.. if you have very presice of whats inside the smartdashboard... take a look in the network n group objects.. see if theres any new "rouge" objects created.. like net_10.1.1.0_1 etc.. usually a tell tale sign.. or search for overlapping/duplicate objects using the query objects function...

What i did was to detach both cluster members, remove or properly define all interfaces manually and add them back to the cluster again, then DO MANUALLY the cluster interfaces... reconfigure antispoof manually if needed...


Hope this helps... Please remember to backup your configuration b4 any change such as this...