Support Center > Search Results > SecureKnowledge Details
In VSX cluster, Virtual Router sends ICMP packets with its cluster private network IP instead of Cluster VIP as Source address
  • SmartView Tracker logs might show that ICMP packets are dropped by Virtual System:

    Action = Drop
    Information = message_info: Local interface address spoofing
    Source = <Name_of_VSX_Cluster>_<Name_of_Virtual_System> (Internal_IP_Address)
    Protocol = icmp
    Interface = wrpXXX
  • Topology:

    Client --- [ VS --- VR ] --- Destination Host

    1. Client behind a Virtual System is trying to reach a host (that does not exist / answer) behind a Virtual Router.
    2. The Virtual Router replies with ICMP packets Type 3 "Destination Unreachable"
    3. The Virtual System drops these ICMP Error packets
  • Traffic capture shows that Virtual Router sends these ICMP packets "Destination Unreachable" with its Source IP address that belongs to Internal Communication Network (Funny IP).

    Example (Funny IP is

  • Issue occurs regardless the status of SecureXL (enabled/disabled) on the involved Virtual System / Virtual Router.

  • Kernel debug ('fw ctl debug -m fw + drop') might show the following drops:

    • When SecureXL is enabled on VS and VR:
      ;fw_log_drop_conn: Packet <dir 1, Source_IP:0 -> Dest_IP:0 IPP 1>, dropped by do_inbound, Reason: Local interface address spoofing;

    • When SecureXL is disabled on VS and VR:
      ;fw_log_drop_ex: Packet proto=1 Source_IP:XX -> Dest_IP:YY dropped by fw_local_anti_spoofing Reason: local interface spoof;
Note: To view this solution you need to Sign In .