Support Center > Search Results > SecureKnowledge Details
VPN traffic might be dropped in some cases on Anti-Spoofing when SecureXL and QoS are enabled on R77.10 Security Gateway
Symptoms
  • Topology:

    Client -- GW -- <VPN Site-to-Site> -- GW/ClusterXL with QoS and SecureXL -- DNS Server

  • VPN traffic might be dropped in some cases on Anti-Spoofing when:

    • SecureXL is enabled on Security Gateway / Cluster
    • The connection that passes via the VPN tunnel is accelerated by SecureXL
    • QoS is enabled on the 'outbound' interface (facing the Server) of the Security Gateway / Cluster
    • QoS is disabled on the 'inbound' interface (facing the Client) of the Security Gateway / Cluster


  • Debug on Security Gateway ('fw ctl debug -m fw + drop vm' + 'fw ctl debug -m fg + qosaccel' + 'sim dbg -m vpn + vpn' + 'sim dbg -m pkt + pkt qxl') shows the following:
    ;[SIM-...]vpn_ipsec_encrypt: return with rc = 1;
    ;[SIM-...]vpn_encrypt: vpn_ipsec_encrypt returns 1;
    ;[SIM-...]do_outbound: forwarding packet to network (ifnum=N)...; 
    ;[SIM-...]handle_inbound_packet: Interface N has outbound QoS -> forwarding to QoS;
    ;[SIM-...]create_async_opaque_outbound: send the packet F2Q (QoS) outbound.; 
    .....................
    ;fg_chain_qxl: INFO: flow is not classified. Do F2F;
    .....................
       [-- Stateful VM inbound: Entering (...) --];
    .....................
    ;fw_log_drop_ex: Packet proto=50 Source_IP:Source_Port -> Dest_IP:Dest_Port dropped by fw_antispoof_log Reason: Address spoofing;
    .....................
    ;FW-1: fw_log_bad_conn_ex: reason Address spoofing;
    ;fw_interface_anti_spoofing: dropping spoofed packet;
    ;fwchain_log_drop: Duplicate request to log chain drop. Caller=fw_interface_anti_spoofing Reason=spoofed;
    ;fw_handle_first_packet: first packet anti spoofing checks violation (action=VANISH);
    ;fw_filter_chain: handle_first_packet returned action VANISH for new conn;
    ;fw_filter_chain: Final switch, action=VANISH;
    ;After  VM: <dir 0, Source_IP:0 -> Dest_IP:0 IPP 50> (len=...) ;
    ;VM Final action=VANISH;
    ; -----  Stateful VM inbound Completed -----
    
Cause

In some cases, when a packet is accelerated by SecureXL, QoS will forward the packet to the FireWall kernel for further inspection.

In this specific scenario, the packet will be forwarded post-encryption, and therefore will be considered as spoofed packet.


Solution
Note: To view this solution you need to Sign In .