My apologies up front for the long post. In order to troubleshoot this I need to give quite a bit of background.
We are using SurfControl at my company to monitor and filter web traffic. Inappropriate web traffic is correctly blocked for users on the same LAN as the SurfControl server, but across a router hop it is not working. The web surfing of the users across the router hop is being recorded correctly, so SurfControl sees it, but it is not being blocked.
SurfControl works using a secondary NIC that is attached to a SPAN port that mirrors the traffic from my firewall's inside interface. When it sees traffic to a prohibited site, the SurfControl server spoofs the IP of the client and sends a RST packet to the web server from the SC server's primary NIC. It also spoofs the IP of the web server and sends an 'Access Denied' web page and a RST packet to the client. This works great for users on the same LAN as SurfControl, and it used to work fine over the router hop, but it doesn't work over the router hop any more. Unfortunately I can't pin down a date or event that caused this to stop working. Users usually don't tell us when it's not blocking. :-)
The SurfControl server is on a 6509 with a Sup720 running 12.2(18)SXF4. The 6509 has a virtual interface that is the default gateway for the LAN the SC server is on. The 6509 also has two gig fiber interfaces that make it part of a metro ring around our city. The router hop goes over the ring to a 6513, and I have verified through traces that the traffic is consistently taking the shortest path around the ring. The
6513 also has a Sup720 with 12.2(18)SXF4.I sniffed the SurfControl primary NIC and surfed a forbidden page from a machine across the router hop and I verified that the SC server is sending out the RSTs as expected. I next sniffed the ring interface on the 6513 (the client side of the router hop) and verified that I'm not seeing the RST packets there. I then sniffed the ring interface on the
6509 facing the 6513 and I did not see the RST packets. They don't appear to be leaving the 6509. When I look at the MAC addresses on the RST packets the destination MAC is the virtual router interface on the 6513, so they should be going on the ring to the 6513. I checked the mac-address-table on the 6509 for that MAC and the 6509 knows traffic for that MAC should go out the ring interface. There is an access-list on the LAN gateway for the SC server, but it is only blocking Windows Networking. There are no access-lists on the ring interfaces.I am at a loss. If I was seeing the RST packets leave the 6509 and not get to the 6513 I would have all kinds of things to test, but I don't even see them leave the 6509. Any ideas?