Skip to main content
A
Anonymous_User
Contributor
October 19, 2009
Question

Duplicating traffic

  • October 19, 2009
  • 10 replies
  • 5866 views
Hi everyone! I' m new on this forum as well as with managing FortiGate (310b in my case). The problem that i' m experiencing is as following: First few words about my net topology. We have 2 core router/switches in a cluster mode (VRRP). From both, there is a physical connection to the FG ports 1 and 2, which are in redundant mode and defined in a group called LAN. That means, from one core sw to FG port1, from the other (backup) core sw to FG port2. From the FG ports 3 and 4 (also redundant ports - group External) there is a physical connection to 2 layer 2 switches, each port of the FG to one L2 switch. Each L2 sw is connected to a Nokia FW. Hence, there are 2 Nokia' s in a cluster. One thing more, the L2 sw are also connected directly to each other. The problem is as following: When we try to ping from internal LAN (host connected to core sw, for example) to DMZ (which is connected on the FW on a separate physical interface), we get a duplicated reply packet. On the FG there is a firewall policy that allows all traffic from internal addresses to DMZ addresses, and aplying no Protection Profile on this traffic. This is also happening for other traffic, besides icmp. We tested many things, and came to the conclusion that the problem is (probably) related to ARP and STP on the switches. We have tried to forward stp on all 4 ports on the FG but with no luck. Please, any suggestion is more than welcome. This is a rather big issue in our case.

    10 replies

    FortiRack_Eric
    FortiRack_Eric
    New Member
    October 19, 2009
    Hi, Can you post a diagram? Stupid Q: Did you config the VLAN correctly? Are that Cisco switches? The FG310B is in Nat/Route mode? Regards, Eric
    A
    Anonymous_UserAuthor
    Contributor
    October 19, 2009
    Hi Eric, thanks for your answer. I' m sending you the diagram. The VLAN' s are configured correctly :). The switches are Alcatel, both the core, as well the L2 switches. The FG is working in Transparent mode. The thing is that the traffic, when it arrives at the L2 switch (back from DMZ) is broadcasted throughout that VLAN (because of the mac-address entry in the L2 switch) and therefore the FG receives the same packet on both " External" ports (Port3 and Port4, which is normal in Redundant mode, but receives both packets thru LAN port (Port1) which is also normal behavior when 2 ports are in redundant mode. Port2 (also LAN port) is not transmitting any traffic, also normal behavior. We also enabled stpforward and l2forward, in order to pass STP thru FG, but id didn' t solved our problem. In that case, we had 2 root bridges on the same segment!!! Not good :) So, you have some more info now to chew on :)) Regards, Alex
    A
    Anonymous_UserAuthor
    Contributor
    October 19, 2009
    Hi Eric, for the case you didn' t received the diagram, i am embedding it in the post...
    A
    Anonymous_UserAuthor
    Contributor
    October 19, 2009
    It is rather a big picture :)) Regards, Alex
    A
    Anonymous_UserAuthor
    Contributor
    October 19, 2009
    I changed the image size (again :)
    MisterAG
    MisterAG
    New Member
    October 19, 2009
    1) are the Nokia firewalls in an active/active or active/passive config? 2) if you hang a PC off of the L2 switch before you hit your core do you get duplicated pings? How about if you hang the PC off of the other switch? I just checked a router that we have on the far side of a transparent proxy, and I' m not seeing any of the ARP resolutions as (ff:ff:ff:ff:ff:ff) - what device is making the decisions to start broadcasting the traffic? My guess would be the Nokia boxes?
    A
    Anonymous_UserAuthor
    Contributor
    October 19, 2009
    The both Nokia' s are in a cluster and working in active/passive mode. when we tried a ping from the primary Nokia (on the left side of the picture) towards some internal host (connected on the Main Core switch) we also got duplicated ICMP reply packets, wich means that the traffic is going thru the FG external port (Port3), and then the traffic is sent thru both FG internal ports (Port1 and Port2). We excluded the Nokia as the source of the duplicating, because, when we ping some other addresses wich are also behind the Nokia (on an another Nokia physical interface), or addresses on the Internet, there aren' t any duplicated replies. Just to mention, in the FortiGate firewall policy is a rule that allows the traffic from internal LAN towards DMZ without any protection profile applied. The primary Nokia receives the ICMP request packet and sends a reply, the secondary Nokia sees the reply packet on the DMZ interface (but not sending any traffic). I think that the problems lies somewhere in the L2 - FortiGate connection. Does anybody has some experience with stpforward option of the FG? Both, the core and the L2 switches uses RSTP.
    FortiRack_Eric
    FortiRack_Eric
    New Member
    October 19, 2009
    I haven' t read thru the hole tread but based on your diagram, I think you forgot to create broadcasting domains. As the FG is in TP mode it' s also a L2 switch and ARP' s will be replicated on every port regardless of the VLAN. Broadcasting domains prevents this. Cheers, Eric
    A
    Anonymous_UserAuthor
    Contributor
    October 20, 2009
    Hi Eric, how should i configure the broadcast domain(s) on the FG? thx + regards Alex
    A
    Anonymous_UserAuthor
    Contributor
    October 20, 2009
    Hi SvaboVD , You may have to configure forwarding domains. See more details here : " Technical Note : Configuring a FortiGate in Transparent mode with trunks (802.1q - VLANs) and forwarding domains" http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD30083 -J.
    Terms & ConditionsAccessibility statement