Support Center > Search Results > SecureKnowledge Details
After cluster failover, VSX Virtual Router with enabled SecureXL stops passing some traffic Technical Level
  • After cluster failover, VSX Virtual Router with enabled SecureXL stops passing some traffic.

  • Source Host receives ICMP "Time Exceeded" messages from VSX for the affected traffic.

  • Disabling SecureXL on Virtual Router prevents the issues from occurring.

  • Sending pings from the Virtual System (protecting the Source Host) to the outside routers (next hop after Virtual Router) resolves the issue (affected traffic starts passing).

  • During the issue, ARP table on Virtual Router does not contain the entries for the Destination IP addresses of the affected traffic.

  • Setting static ARP entries (with 'arp -s' command) on Virtual Router for the involved Destination IP addresses prevents the issues from occurring.

  • SecureXL debug on Virtual Router ('sim dbg -m drv + pkt routing' + 'sim dbg -m pkt + f2f pkt spoof') shows that the affected traffic are packets with TTL=1:
    ;[kern];[tid_...];[SIM-...]handle_inbound_packet: got packet on VSID=VSID_of_VR (ifnum=X);
    ;[kern];[tid_...];[SIM-...]warp_jump_junction: packet is for ip W.X.Y.Z; 
    ;[kern];[tid_...];[SIM-...]warp_jump_junction: after doing route the out device is IF_NAME; 
    ;[kern];[tid_...];[SIM-...]warp_jump_junction: about to jump over junction with out device which is not wrp; 
    ;[kern];[tid_...];[SIM-...]sim_get_mac_from_neigh: neighbour state not valid (nud_state=0x0) -> F2F;
    ;[kern];[tid_...];[SIM-...]warp_jump_junction: failed to get the macs from the neighbor entry, packet f2f.; 
    ;[kern];[tid_...];[SIM-...]do_inbound: got packet 0x... on cpu N of <Source_IP_Address,Source_Port,Dest_IP_Address,Dest_Port,Proto_Number>(vsid=VSID_of_VR); 
    ;[kern];[tid_...];[SIM-...]sim_validate_address: ifn: X, conn: <Source_IP_Address,Source_Port,Dest_IP_Address,Dest_Port,Proto_Number>, ttl: 1; 
    ;[kern];[tid_...];[SIM-...]do_inbound: connection <Source_IP_Address,Source_Port,Dest_IP_Address,Dest_Port,Proto_Number> not found -> forwarding to firewall;

Chain of events:

  1. Packet passed through the Virtual System's Warp interface.
  2. Packet arrived at Virtual Router's Warpj interface.
  3. SecureXL SIM module attempted to perform a Warp jump over the Virtual Router, but failed due to missing MAC address of the Destination IP address.
  4. SecureXL SIM module forwarded the packet to FireWall kernel (F2F). In addition, SecureXL SIM module also decreased the TTL on the packet, even though it stayed in the Virtual Router.
  5. At this point, the TTL equals 1.
  6. FireWall kernel passed the packet to the OS networking stack to resolve the IP address and also decreased the TTL by 1.
  7. At this point, the TTL equals 0.
  8. TTL=0 caused the OS to discard the packet and to generate an ICMP "Time Exceeded" message (kernel debug shows ';ICMP type 11, code 0;').

Note: To view this solution you need to Sign In .