1. Home
  2. Cisco Systems
  3. Hairpinning traffic out the same interface

Hairpinning traffic out the same interface

Hello All:

We are in the middle of a migration and currently our remote site hosts point to a firewall for their default gateway. The site is just one subnet/flat LAN. We are changing that so that a newly installed router is the default gateway. The router has an interface on the same subnet/LAN as the firewall. On the router, we have a default static route point to the firewall. So, when traffic is initiated, it will hit the router first and then hairpin back out the same interface to the firewall.

When we change the default gateway to the router, the host appears to operate ok. However, after awhile (30mins or more), traffic appears to stop flowing. I've tried it with ip redirects on and off. I know I am missing something simple. Could it be that the firewall does not like part of the flow to come through the router?

Any help is much appreciated!

Thanks, Patrick

Reply to
patrickjmurphy
Loading thread data ...

What is probably happening is that the firewall is getting confused about the MAC addresses of the clients. The MAC address of the clients' IP addresses are seen as the MAC address of the router, but if the firewall ARPs the IP the client will reply and it will change, It will then see the source MAC of client's IP as the router again the next time the router forwards a packet for the client. The firewall could be seeing this as some type of MAC DoS attach or some other problem. This is only speculation and you need to confirm this by looking at the firewall logs and checking the ARP cache on the firewall. My suggestion is to put the firewall on a different subnet, as this will definately fix the problem. Hairpinning IP traffic is a VERY BAD practice and should be avoided at all costs because it can cause weird unexpected behaviour, just as you are seeing.

Reply to
Thrill5

Thanks for the help. I definately agree, this is not a recommended design, but we don't have access to the firewall and/or are not able to make changes to them. It makes sense what you said about the firewall thinking it is a DoS because of the different MACs. I have made a temporary work around for the few servers that are having the issue. We've added some persistant routes to the servers. I know, I don't like it either, but it will get us through the migration period when the firewall will get removed. Thanks again.

Patrick

Reply to
patrickjmurphy

.

About the only thing that springs to mind is that you may have a duplicate IP address with the new gateway.

I have not worked with many different kinds of firewall in depth, checkpoint firewall1 and cisco router and pix only, however since a firewall is a L3+ device I cannot see any firewall caring about mac addresses. I have certainly never heard of it or encountered it.

When it stops working check the arp tables to check for duplicate IP's. Record them when they are working and then verify when it breaks. Check hosts, firewall, router.

I have used router on a stick a few times for the purposes of migration and otherwise and had no issues such as you are seeing.

Oh - unless maybe you have a load balancing firewall cluster? I think it might be possible that it could go wrong there.

Reply to
bod43

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.