Header Only - DO NOT REMOVE - Extreme Networks

IP Blocking problem


Userlevel 4
Create Date: Jan 29 2013 2:11PM

Hy

I'm having a strange problem where i don't know further.

We have 5 Summit Switches (X460-24p/t & X460-48p/t) in a ring topology (with EAPS). Everything is working fine but now we saw that loading a certain website won't work.

The Setup is like this:

... SW3 <--> SW4 <--> SW5 <--> SW6 <--> Firewall <--> Internet

The website is working on SW5 and SW6 without problems. But SW4 and everything below won't load this certain page. With wireshark I saw, that the SYN Package is travelling to the website. The SYN ACK page is coming back and leaving SW5. But on SW4 i can't see the package arriving. It seems that the SW4 is dropping the package due to a ip restriction.

There are no ACL's configured on the SW4. ip-security source-ip-lockdown isn't configured either. So at the moment I have no idea what the matter is. Does anyone has a idea which would be helpful?

Thanks in advance
TIDigi (from TIDigi)

7 replies

Userlevel 4
Create Date: Jan 29 2013 8:33PM

Hey TIDIgi

by default we do not restrict any traffic on the switch everything is bridged with a VLAN of default and protocol of any. One thing that may be an issue is if you created another VLAN and changed the protocol to something other than any. If you change it to IP for example then we limit it to only IP traffic.

Can you do the command show edp on the port from sw4 to sw5?? I want to see if we see one another ok. Also who is the master of the ring? Can you do a show EAPS on the master and post that? Also can you do a show config o the 6 switches and upload it?

As I mentioned by default we do not block anything. EAPS will only block protected VLAN on the secondary port of the Master.

P (from Paul_Russo)
Userlevel 4
Create Date: Jan 30 2013 8:52AM

Hey prusso

Thanks for your answer. There is no VLAN problem cause everything is working exept of this one special website. If i contact your website for example everything is working. So there is no problem with any vlan - also eaps is working normally. The only problem is the blocking of the special website. The SYN ACK packages won't go from SW5 to SW4...

SW4 #show edp ports 1:54

Port Neighbor Neighbor-ID Remote Age Num
Port Vlans
=============================================================================
1:54 SW5 00:00:02:04:96:51:c0:70 1:53 30 10
=============================================================================

The master of the ring is SW6

SW6 # show eaps

EAPS Enabled: Yes
EAPS Fast-Convergence: Off
EAPS Display Config Warnings: On
EAPS Multicast Add Ring Ports: Off
EAPS Multicast Send IGMP Query: On
EAPS Multicast Temporary Flooding: Off
EAPS Multicast Temporary Flooding Duration: 15 sec
Number of EAPS instances: 2
# EAPS domain configuration :
--------------------------------------------------------------------------------
Domain State Mo En Pri Sec Control-Vlan VID Count Prio
--------------------------------------------------------------------------------
hp_ring Complete M Y 1:53 1:54 hp_ring (4090) 1 H
np_ring Complete M Y 1:54 1:53 np_ring (4091) 7 N
--------------------------------------------------------------------------------


There are no problems with any of the 10 VLAN's or the EAPS itself. The only one problem we see is that one website can't be loaded. It doesn't matters from which VLAN we try to reach the page. It's working from the SW5 and SW6 but not from SW4 because the SYN ACK package is dropped on the SW4.

It seems that the SW4 switch drops packages from the IP 81.18.23.6 (which is the ip from the website we try to reach).

What could be the cause of this behaviour? We don't have access-lists for this VLAN...

TIDigi (from TIDigi)
Userlevel 4
Create Date: Feb 26 2013 3:22PM

Does nobody has a idea what could cause this problem?

Still have the same problem that one website is getting blocked. The "Syn Ack" response seems to be dropped by the SW4 for some reason. It could be that the source IP (website) will be dropped by SW4 - but without a ACL i can't imagine what could cause this.

Thank you in advance
TiDigi (from TIDigi)
Userlevel 4
Create Date: Mar 3 2013 3:56AM

TIDIgi, where did you take the packet capture? Do you see the SYN ACK reaching SW4 or does it not even reach there? What is the destination MAC address of the SYN ACK packet? is it seen in the output of the show fdb in that VLAN in any of the switches? (from ethernet)
Userlevel 4
Create Date: Mar 6 2013 10:02AM

Hy ethernet

I took captures on SW5 and SW4 by mirroring the uplink ports and using wireshark on the mirrored port. After i saw the SYN ACK on SW5 i only mirrored outgoing traffic and saw the SYN ACK too. So it was sent from SW5 to SW4. On SW4 i didn't saw the SYN ACK arriving. I think that SW4 is dropping the packet instantly on arrival...

The destination MAC of the SYN ACK packet is the computer where i try to open the website - lets call it MAC1. The mac is on SW4 and SW5 in the fdb table. It makes no difference if I use another pc with a different mac.

Long story short: SYN packets visible on SW4, SW5,..
SYN ACK packets visible on SW5 but NOT on SW4
FDB contains MAC1 for the vlan on both switches

TIDigi (from TIDigi)
Userlevel 4
Create Date: Mar 7 2013 2:17PM

As far as I can tell, whatever ingresses the switch will be mirrored. If the traffic is dropped, it is dropped after it is duplicated and sent to the mirroring port.

Can you apply an ACL like this:
Switch# edit policy test.pol
type “I” for insert mode
type the following text…
entry AllowThisHostOnly {
if {
ethernet-destination-address XX:XX:XX:XX:XX:XX;
protocol tcp;
source-port ;
} then {
permit;
count counter1;
}
}
type “esc”, “:”, “wq” OR just “ZZ” to save and quit

Apply that access list to the ingress traffic in the port between SW4 and SW5. (configure access-list test port ingress). Run the traffic and look for the show access-list counter command output. Do you see that counter incrementing?

Another question, when you mirror the traffic, do you mirror on ports or VLANs? Have you tried rebooting SW4 or connecting SW5 to SW3 directly if possible? Can you share the packet capture with us?
(from ethernet)
Userlevel 4
Create Date: Apr 4 2013 12:03PM

Thanks for your input

I made ACL's on SW4 and SW5 slight different to the one you wrote. But i saw the same like with wireshark. The packets left SW5 but don't entered SW4.

The solution for the problem was a restart of the SW4. But something strange happend after this action. One VLAN didn't worked anymore on SW4. It was the VLAN for VoIP. So we restarted the switch again and now everything works fine. The second restart was around 9pm and we got restart alerts in EpiCenter every 5 minutes until 6am. I'm not sure what the matter was but at least everything works fine now.

Thanks for your replies and the help
TiDigi (from TIDigi)

Reply