Hi all,
Ready for another non-solution from me? I only know half of this equation,
but maybe someone who knows the Nokia can fill in the blanks and help with
a real solution.
Does the Nokia have any protection or defense for duplicate ip
addresses? I don't know about Nokia, but I do know LocalDirector very well.
Here's a possible explanation for why the Nokia shuts down an interface:
The relevant details are in how the packets are changed by the LD
(LocalDirector). A packet destined for LD Virtual (IP.V), will be destined
for the MAC of the LD (MAC.LD). The LD gets this packet, determines the
Server to send it to, and forwards it on changing the IP.V to IP.S1, and
the MAC from MAC.LD to MAC.S1. Server now responds to the original
requester and our Source addresses now become interesting. The Server (S1)
addresses the packet, and we have IP.S1, and MAC.S1. As the packet passes
through the LD, the LD identifies it with a virtual stream, and changes the
IP address accordingly. We now have a source address on the packet of
IP.V, with MAC.S1. The LD does NOT change the MAC layer on the outbound
streams. The sniffer traces should show this behavior as well (depending
on where you place the sniffer in the network).
The Nokia may be having a problem seeing the MAC of IP.V change from
LD, to S1, S2, S3, etc. It will only see this on the outbound packet
streams. I've seen some network devices complain about the MAC swapping
behavior, so possibly the Nokia is having problems with this.
This is just an educated guess, but the packet address functions may help
someone else who is actually experienced with Nokia's firewall.
Hope this helps,
Lisa Napier
Product Security Incident Response Team
Cisco Systems
http://www.cisco.com/warp/public/707/sec_incident_response.shtml
At 09:32 AM 10/18/1999 -0400, Alba, Victor wrote:
>We are currently using a couple of Nokia's IP440 configured with VRRP in our
>Network; for the past two weeks we've been trying to inject into our Network
>a Load Balancing product (Cisco's LocalDirector) for our Web Server Farm.
>For some strange reason whenever we injecting local director into our
>topology and direct traffic to the 'Virtual IP' of Local Director (all http
>request are sent to the virtual IP and then LocalDirector directs traffic to
>the different servers) after 10 or 15 minutes the 'DMZ' interface on the
>Firewall shuts itself down for a period of 5 to 8 seconds at some odd
>intervals and for no apparent reason. The strange thing is that if we stop
>sending traffic to the 'virtual ip' of local director and just use it as a
>bridge the problem never shows up!
>
>Has anyone done something similar and got it to work? We've checked just
>about everything -includding sniffer traces- and can't find anything that
>could help us understand what is provoking this unexpected behavior in the
>firewall.
>
>Cheers,
>-Victor
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
