topic Re: PA dropping packets on their return path in General Topics

PA dropping packets on their return path

u13550 — Fri, 06 Jul 2012 16:44:38 GMT

I have a simple L3 setup.

E1/1 connected to a router (default gateway to the internet). IP 192.168.119.2, untagged Zone VLAN1

E1/2.2 connected to a switch (VLAN 2 tagged). IP 10.2.2.1 (default gateway for the 10.2.2.0/24 network), Zone VLAN2

I have a default allow all rule, no nat (VLAN2 to VLAN1)

A ping from 10.2.2.51 to 8.8.8.8 doesn't work, so I started troubleshooting.

Monitor shows 10.2.2.51 to 8.8.8.8, Application "ping" allow

It does not mention any drops.

I did a tcp dump on the internet gateway and I do see request and reply getting in and out. All correct source / destination.

I did a tcp dump on the PA. I see the following in the 4 pcap files:

Receive: Echo request and reply

Transmit: only Echo Request

Firewall: Echo Request and reply

Drop: Echo reply

So, the question which drives me crazy is: Why is the PA dropping the echo reply packets and why is it not telling me that it has done so?

Thanks a lot in advance.

Andre

Re: PA dropping packets on their return path

u13550 — Fri, 06 Jul 2012 17:10:23 GMT

ok, a quick debug with drop counter shows that th following counters do increment:

flow_rcv_dot1q_tag_err 8632 0 drop flow parse Packets dropped: 802.1q tag not configured

flow_no_interface 8709 0 drop flow parse Packets dropped: invalid interface

looks like my VLAN Config is wrong on the "lan" side ....

Re: PA dropping packets on their return path

u13550 — Fri, 06 Jul 2012 21:02:56 GMT

While I'm confident, that the problem is in my clan configuration, I juts can't get it to work.

I've read the admin guide and several docs here but nothing fits.

Attached is my config ,maybe someone is so kind to bring some light in my dark?

Only traffic out of VLAN2 will reach the PA. VLAN 1 Traffic is bypassing the PA (VLAN1 blocked on the switch Trunk to the PA)

as a side note: I followed Scenario 1 in this document:

Re: PA dropping packets on their return path

u13550 — Sat, 07 Jul 2012 17:26:12 GMT

I restarted from scratch (the 1000th time) and whatever I did different than then times before, it's working now. I followed the above mentioned document.

Re: PA dropping packets on their return path

mikand — Sun, 08 Jul 2012 21:08:27 GMT

If you are lucky you have a backup of running-config from when it didnt work which you run a diff against your now working running config (and get back with the results)?

Re: PA dropping packets on their return path

u13550 — Mon, 09 Jul 2012 18:12:18 GMT

right, didn't thought about this...

will do when I'm back home next week

Andre