In VSX cluster, Virtual Router sends ICMP packets with its cluster private network IP instead of Cluster VIP as Source address
||R75.40VS, R76, R77, R77.10, R77.20, R77.30
SmartView Tracker logs might show that ICMP packets are dropped by Virtual System:
Action = Drop
Information = message_info: Local interface address spoofing
Source = <Name_of_VSX_Cluster>_<Name_of_Virtual_System> (Internal_IP_Address)
Protocol = icmp
Interface = wrpXXX
Client --- [ VS --- VR ] --- Destination Host
- Client behind a Virtual System is trying to reach a host (that does not exist / answer) behind a Virtual Router.
- The Virtual Router replies with ICMP packets Type 3 "Destination Unreachable"
- The Virtual System drops these ICMP Error packets
Traffic capture shows that Virtual Router sends these ICMP packets "Destination Unreachable" with its Source IP address that belongs to Internal Communication Network (Funny IP).
Example (Funny IP is 192.168.196.18):
Issue occurs regardless the status of SecureXL (enabled/disabled) on the involved Virtual System / Virtual Router.
Kernel debug ('
fw ctl debug -m fw + drop') might show the following drops:
- When SecureXL is enabled on VS and VR:
;fw_log_drop_conn: Packet <dir 1, Source_IP:0 -> Dest_IP:0 IPP 1>, dropped by do_inbound, Reason: Local interface address spoofing;
- When SecureXL is disabled on VS and VR:
;fw_log_drop_ex: Packet proto=1 Source_IP:XX -> Dest_IP:YY dropped by fw_local_anti_spoofing Reason: local interface spoof;
Note: To view this solution you need to