Support Center > Search Results > SecureKnowledge Details
Asymmetric traffic is dropped on Security Gateway with enabled SecureXL and several Bridge interfaces
Symptoms
  • Asymmetric traffic is dropped on Security Gateway in the following scenario:

    1. SecureXL is enabled
    2. Two Bridge interfaces are configured:
      Client --- [Bridge1] (Security Gateway with SecureXL) [Bridge2] --- Server
    3. Client-to-Server traffic passes through slaves of one of the Bridge interfaces:
      Client <===> [Bridge1] (Security Gateway with SecureXL) [Bridge2] --- Server
    4. Server-to-Client traffic passes through slaves of the other the Bridge interface:
      Client --- [Bridge1] (Security Gateway with SecureXL) [Bridge2] <===> Server
  • Disabling SecureXL (SecureXL Address-Spoofing feature to be exact) resolves the issue.

  • SecureXL debug may show address spoofing drops.

Cause

SecureXL does not update the routes for bridged traffic.

As a result, instead of forwarding the Server-to-Client traffic from one slave of the Server's Bridge interface to the other slave of the Server's Bridge interface, SecureXL forwards the Server-to-Client traffic to the original Client's Bridge interface that was offloaded to SecureXL when Client-to-Server traffic passed for the first time:

  1. Client-to-Server traffic enters the Security Gateway via the Client's Bridge interface "Bridge1":
    Client ===> [Bridge1] (Security Gateway with SecureXL) [Bridge2] --- Server

  2. Client's Bridge interface "Bridge1" is offloaded to SecureXL

  3. Client-to-Server traffic exits from the Security Gateway via the Client's Bridge interface "Bridge1":
    Client <=== [Bridge1] (Security Gateway with SecureXL) [Bridge2] --- Server

  4. Server-to-Client traffic enters the Security Gateway via the Server's Bridge interface "Bridge2":
    Client --- [Bridge1] (Security Gateway with SecureXL) [Bridge2] <=== Server

  5. SecureXL incorrectly calculates the route for Server-to-Client traffic

  6. Server-to-Client traffic exits from the Security Gateway via the Client's Bridge interface "Bridge1" (instead of the Server's Bridge interface "Bridge2"):
    Client <=== [Bridge1] (Security Gateway with SecureXL) [Bridge2] --- Server


Solution
Note: To view this solution you need to Sign In .